CVE-2018-1999024

NameCVE-2018-1999024
DescriptionMathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mathjax (PTS)jessie2.4-2vulnerable
stretch2.7.0-2vulnerable
buster2.7.4+dfsg-1fixed
sid, trixie, bullseye, bookworm2.7.9+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mathjaxsourcewheezy(unfixed)end-of-life
mathjaxsource(unstable)2.7.4+dfsg-1

Notes

[stretch] - mathjax <no-dsa> (Minor issue)
[jessie] - mathjax <no-dsa> (Minor issue)
https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1

Search for package or bug name: Reporting problems