CVE-2019-16728 — Cross-site Scripting in Dompurify

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

1.0%

top 23.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cure53 Dompurify Debian Linux

Timeline

PublishedSep 24

Latest updateAug 28

Description

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDcure53/dompurify< 2.0.1

▶npmcure53/dompurify< 2.0.3

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

Cross-Site Scripting in dompurify↗2020-08-28

▶

OSV

Cross-Site Scripting in dompurify↗2020-08-28

▶

CVEList

CVE-2019-16728: DOMPurify before 2↗2019-09-24

▶

OSV

CVE-2019-16728: DOMPurify before 2↗2019-09-24

▶