CVE-2020-26870
07.10.2020, 16:15
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Vendor | Product | Version |
---|---|---|
cure53 | dompurify | 𝑥 < 2.0.17 |
debian | debian_linux | 9.0 |
microsoft | visual_studio_2017 | 15.9 |
microsoft | visual_studio_2019 | 16.0 |
microsoft | visual_studio_2019 | 16.4 |
microsoft | visual_studio_2019 | 16.7 |
microsoft | visual_studio_2019 | 16.8 |
oracle | application_express | 𝑥 < 21.1.0.00.01 |
𝑥
= Vulnerable software versions

Ubuntu Releases
References