CVE-2019-16728 : Security Advisory and Response
Learn about CVE-2019-16728 impacting DOMPurify before 2.0.1, allowing XSS attacks on SVG and MATH elements in Chrome and Safari. Find mitigation steps and prevention measures here.
DOMPurify before version 2.0.1 is susceptible to cross-site scripting (XSS) attacks, specifically innerHTML mutation XSS (mXSS), impacting SVG and MATH elements in Chrome and Safari browsers.
Understanding CVE-2019-16728
Versions of DOMPurify prior to 2.0.1 are vulnerable to XSS attacks due to innerHTML mutation XSS (mXSS) affecting SVG and MATH elements.
What is CVE-2019-16728?
DOMPurify before 2.0.1 allows XSS due to innerHTML mutation XSS (mXSS) for SVG and MATH elements, demonstrated on Chrome and Safari.
The Impact of CVE-2019-16728
- Vulnerability Type: Cross-Site Scripting (XSS)
- Affected Elements: SVG and MATH
- Demonstrated on: Chrome and Safari
Technical Details of CVE-2019-16728
Vulnerability Description
- XSS vulnerability due to innerHTML mutation XSS (mXSS)
Affected Systems and Versions
- All versions of DOMPurify before 2.0.1
Exploitation Mechanism
- Exploits innerHTML mutation XSS (mXSS) on SVG and MATH elements
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to DOMPurify version 2.0.1 or later
- Implement input validation and output encoding to prevent XSS
Long-Term Security Practices
- Regularly update libraries and dependencies
- Conduct security audits and penetration testing
Patching and Updates
- Apply security patches promptly to mitigate vulnerabilities