Description
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Remediation
References
Related Vulnerabilities
WordPress Plugin N5 Upload Form Arbitrary File Upload (1.0)
WordPress 3.0.3 KSES Library Cross-Site Scripting Vulnerability (0.6.2 - 3.0.3)
WordPress Plugin YITH WooCommerce Mailchimp Security Bypass (2.1.3)
WordPress Plugin ARS Reg Secure Cross-Site Scripting (1.1)
SharePoint Download of Code Without Integrity Check Vulnerability (CVE-2020-1210)