Description
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
Remediation
References
https://research.securitum.com/dompurify-bypass-using-mxss/
https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
Related Vulnerabilities
CVE-2020-8203 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2021-23371 Vulnerability in npm package chrono-node
CVE-2023-29522 Vulnerability in maven package org.xwiki.platform:xwiki-platform-xclass-ui
CVE-2018-16330 Vulnerability in npm package editor.md
CVE-2023-35839 Vulnerability in maven package org.noear:solon.serialization.hessian