MathJax versions 2.7.2 and earlier contain a stored XSS risk. The MathJax URL has been updated to reference a newer version, which has the vulnerability patched.
|Versions affected:||3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions|
|Versions fixed:||3.8.3, 3.7.6, 3.6.10 and 3.5.12|
|Reported by:||Abdullah Hussam|
|Workaround:||Manually update the MathJax URL in site administration to reference the patched version (https://firstname.lastname@example.org/MathJax.js)|
|Tracker issue:||MDL-68430 MathJax URL upgraded to later version to remove XSS risk (upstream)|