CVE-2018-1999024

NameCVE-2018-1999024
DescriptionMathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mathjax (PTS)jessie2.4-2vulnerable
stretch2.7.0-2vulnerable
buster, sid2.7.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mathjaxsource(unstable)2.7.4+dfsg-1medium

Notes

[stretch] - mathjax <no-dsa> (Minor issue)
[jessie] - mathjax <no-dsa> (Minor issue)
https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1

Search for package or bug name: Reporting problems