CVE-2020-26870: Cross-site Scripting

October 7, 2020 (updated July 20, 2021)

Cure53 DOMPurify allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

References

nvd.nist.gov/vuln/detail/CVE-2020-26870
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870

Code Behaviors & Features

Detect and mitigate CVE-2020-26870 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →