EIQ-2020-0013#

ID

EIQ-2020-0013

CVE

CVE-2020-26870

Description

DOMPurify could allow XSS through SVG, MATH, or FORM elements

Date

11 Nov 2019

Severity

2 - MEDIUM

CVSSv3 score

6.5

Status

✅ 2.9.0

Assessment

DOMPurify versions 2.1.16 and earlier could allow cross-site scripting (XSS) by exploiting mutation cross-site scripting (mXSS) of the innerHTML element for an SVG, MATH, or FORM element.

A signed-in user with admin access rights may be able to inject potentially malicious HTML through an SVG, MATH, or FORM element.

This blog post describes a PoC to exploit the vulnerability through the FORM element.

The only possible scenario where this vulnerability could be exploited in the platform might occur when a malicious extension sends malicious HTML through the transport_access_details field.

Platform extensions meant for production must pass internal review and QA.

A malicious extension would not pass validation, and it would be rejected.

Mitigation

To mitigate this vulnerability:

Affected versions

2.4.0 to 2.8.0 included.

Notes

For more information, see: