Necessarily indicate when this vulnerability wasĭiscovered, shared with the affected vendor, publicly The CVE ID was allocated or reserved, and does not MS:Visual Studio Remote Code Execution Vulnerabilityĭisclaimer: The record creation date may reflect when.MLIST: 20201029 dompurify.js security update.Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities.
This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Cure53 DOMPurify before 2.0.17 allows mutation XSS.
