GHSA-pgjv-jrg2-gq3v: 
Python vulnerability analysis and mitigation

DOMPurify versions prior to 2.2.2 were found to be vulnerable to Cross-site Scripting (XSS) when converting from SVG namespace. The vulnerability was discovered and publicly disclosed on November 3, 2020, and was assigned the identifier GHSA-pgjv-jrg2-gq3v. DOMPurify is a DOM-only XSS sanitizer for HTML, MathML and SVG, and this vulnerability affected all versions below 2.2.2 (GitHub Advisory, Snyk Report).

The vulnerability is classified as a Cross-site Scripting (XSS) issue with moderate severity. The issue specifically manifests when converting content from the SVG namespace, allowing potential mutation XSS attacks. The vulnerability was discovered through both public and private reports, leading to the identification of multiple mXSS variations (DOMPurify Release).

This vulnerability could allow attackers to perform cross-site scripting attacks, potentially leading to cookie theft, session hijacking, exposure of sensitive information, access to privileged services and functionality, or delivery of malware. The attack requires user interaction and can affect web servers, application servers, and web application environments (Snyk Report).

The vulnerability was patched in DOMPurify version 2.2.2. Users are advised to upgrade to this version or higher to mitigate the risk. The fix addresses both the publicly disclosed mXSS bypass and a privately reported variation. Additionally, the update included adding dialog to the permitted elements list (DOMPurify Release).