GHSA-jpcq-cgw6-v4j6

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json

Aliases

CVE-2020-11023 ( ALSA-2021:1846, ALSA-2021:4142 )

Published

2020-04-29T22:19:14Z

Modified

2023-09-06T19:02:24.302670Z

Details

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

References

Affected packages

npm / jquery

Source Details

Package Name: jquery

Affected ranges

Type: SEMVER
Events: Introduced

1.0.3

Fixed

3.5.0

RubyGems / jquery-rails

Source Details

Package Name: jquery-rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.4.0

Affected versions

0.*

0.1.1

0.1.2

0.1.3

0.2

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

1.*

1.0.rc

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

2.*

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

4.*

4.0.0.beta1

4.0.0.beta2

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

NuGet / jQuery

Source Details

Package Name: jQuery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.3

Fixed

3.5.0

Affected versions

1.*

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.7.0

1.7.1

1.7.1.1

1.7.2

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

1.10.0

1.10.0.1

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.11.3

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

2.*

2.0.0

2.0.1

2.0.1.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

3.*

3.0.0

3.0.0.1

3.1.0

3.1.1

3.2.1

3.3.1

3.4.0

3.4.1