Vulnerability Description
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mathjax | Mathjax | < 2.7.4 |
Related Weaknesses (CWE)
References
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.htmlExploitThird Party Advisory
- https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852PatchThird Party Advisory
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.htmlExploitThird Party Advisory
- https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852PatchThird Party Advisory
FAQ
What is CVE-2018-1999024?
CVE-2018-1999024 is a vulnerability with a CVSS score of 5.4 (MEDIUM). MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. Thi...
How severe is CVE-2018-1999024?
CVE-2018-1999024 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1999024?
Check the references section above for vendor advisories and patch information. Affected products include: Mathjax Mathjax.