Vulnerability Details CVE-2018-1999024
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 46.9%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 4.3
References
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
- https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
- https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1
Products affected by CVE-2018-1999024
-
cpe:2.3:a:mathjax:mathjax:1.1
-
cpe:2.3:a:mathjax:mathjax:2.0.0
-
cpe:2.3:a:mathjax:mathjax:2.1.0
-
cpe:2.3:a:mathjax:mathjax:2.2.0
-
cpe:2.3:a:mathjax:mathjax:2.3.0
-
cpe:2.3:a:mathjax:mathjax:2.4.0
-
cpe:2.3:a:mathjax:mathjax:2.5.0
-
cpe:2.3:a:mathjax:mathjax:2.5.1
-
cpe:2.3:a:mathjax:mathjax:2.5.2
-
cpe:2.3:a:mathjax:mathjax:2.5.3
-
cpe:2.3:a:mathjax:mathjax:2.6.0
-
cpe:2.3:a:mathjax:mathjax:2.6.1
-
cpe:2.3:a:mathjax:mathjax:2.7.0
-
cpe:2.3:a:mathjax:mathjax:2.7.1
-
cpe:2.3:a:mathjax:mathjax:2.7.2
-
cpe:2.3:a:mathjax:mathjax:2.7.3