GHSA-gxr4-xjj5-5px2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gxr4-xjj5-5px2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gxr4-xjj5-5px2
- Aliases
- Related
- Published
- 2020-04-29T22:18:55Z
- Modified
- 2025-01-31T20:51:56.658421Z
- Severity
-
- 6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
- Summary
- Potential XSS vulnerability in jQuery
- Details
-
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) { return html; };You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
- Database specific
{ "nvd_published_at": "2020-04-29T22:15:00Z", "severity": "MODERATE", "github_reviewed_at": "2020-04-29T22:18:37Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
- https://nvd.nist.gov/vuln/detail/CVE-2020-11022
- https://github.com/maximebf/php-debugbar/issues/447
- https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
- https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W
- https://security.gentoo.org/glsa/202007-03
- https://security.netapp.com/advisory/ntap-20200511-0006
- https://www.debian.org/security/2020/dsa-4693
- https://www.drupal.org/sa-core-2020-002
- https://www.npmjs.com/advisories/1518
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2020-10
- https://www.tenable.com/security/tns-2020-11
- https://www.tenable.com/security/tns-2021-02
- https://www.tenable.com/security/tns-2021-10
- https://github.com/advisories/GHSA-gxr4-xjj5-5px2
- https://github.com/jquery/jquery
- https://github.com/jquery/jquery/releases/tag/3.5.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml
- https://jquery.com/upgrade-guide/3.5
- https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
- http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
Affected packages
Maven
org.webjars.npm:jquery
Package
- Name
- org.webjars.npm:jquery
- View open source insights on deps.dev
- Purl
- pkg:maven/org.webjars.npm/jquery
npm
jquery
Package
- Name
- jquery
- View open source insights on deps.dev
- Purl
- pkg:npm/jquery
NuGet
jquery
Package
- Name
- jquery
- View open source insights on deps.dev
- Purl
- pkg:nuget/jquery
Affected versions
1.*
1.4.1
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.1.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.9.0
1.9.1
1.10.0
1.10.0.1
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
2.*
2.0.0
2.0.1
2.0.1.1
2.0.2
2.0.3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
3.*
3.0.0
3.0.0.1
3.1.0
3.1.1
3.2.1
3.3.1
3.4.0
3.4.1
Packagist
maximebf/debugbar
Package
- Name
- maximebf/debugbar
- Purl
- pkg:composer/maximebf/debugbar
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.19.0
Affected versions
1.*
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1
1.2
1.3
1.4
1.5
1.5.1
1.6
1.6.1
1.7
1.7.1
1.8
1.9
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12
1.9.13
1.9.14
1.9.15
1.10.0
1.10.1
1.13.1
v1.*
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.11.0
v1.11.1
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.16.3
v1.16.4
v1.16.5
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.18.0
v1.18.1
v1.18.2
athlon1600/youtube-downloader
components/jquery
Package
- Name
- components/jquery
- Purl
- pkg:composer/components/jquery
RubyGems
jquery-rails
Package
- Name
- jquery-rails
- Purl
- pkg:gem/jquery-rails
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.4.0
Affected versions
0.*
0.1.1
0.1.2
0.1.3
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
1.*
1.0.rc
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
2.*
2.0.1
2.0.2
2.0.3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.3.0
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
4.*
4.0.0.beta1
4.0.0.beta2
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5