CVE-2020-26870

Cross-site Scripting in npm/dompurify

Identifiers

CVE-2020-26870

Package Slug

npm/dompurify

Vulnerability

Cross-site Scripting

Description

Cure53 DOMPurify allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Affected Versions

All versions before 2.0.17

Solution

Upgrade to version 2.0.17 or above.

Last Modified

2020-10-19

source