Ruby/jquery-rails/1.0.7


This gem provides jQuery and the jQuery-ujs driver for your Rails 4+ application.

https://rubygems.org/gems/jquery-rails
UNKNOWN

17 Security Vulnerabilities

Duplicate Advisory: jQuery Cross Site Scripting vulnerability

Published date: 2023-06-26T21:30:58Z
CVE: CVE-2020-23064
Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-jpcq-cgw6-v4j6. This link is maintained to preserve external references.

Original Description

Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.

Affected versions: ["4.3.5", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Cross-Site Scripting in jquery

Published date: 2020-09-01T16:41:46Z
CVE: CVE-2012-6708
Links:

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

Proof of Concept

$("#log").html(
    $("element[attribute='<img src=\"x\" onerror=\"alert(1)\" />']").html()
);

Recommendation

Update to version 1.9.0 or later.

Affected versions: ["2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

jquery-rails and jquery-ujs subject to Exposure of Sensitive Information

Published date: 2017-10-24T18:33:36Z
CVE: CVE-2015-1840
Links:

jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.

Affected versions: ["4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

jQuery vulnerable to Cross-Site Scripting (XSS)

Published date: 2022-05-14T01:09:51Z
CVE: CVE-2011-4969
Links:

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Affected versions: ["1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

Published date: 2019-04-26T16:29:11Z
CVE: CVE-2019-11358
Links:

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Affected versions: ["4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29T22:18:55Z
CVE: CVE-2020-11022
Links:

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
    return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Affected versions: ["4.3.5", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29T22:19:14Z
CVE: CVE-2020-11023
Links:

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Affected versions: ["4.3.5", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Cross-Site Scripting in jquery

Published date: 2020-05-20T16:18:01Z
CVE: CVE-2020-7656
Links:

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 1.9.0 or later.

Affected versions: ["2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Cross-Site Scripting (XSS) in jquery

Published date: 2018-01-22T13:32:06Z
CVE: CVE-2015-9251
Links:

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Recommendation

Update to version 3.0.0 or later.

Affected versions: ["4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Duplicate Advisory: Prototype Pollution in jquery

Published date: 2019-04-23T15:59:10Z
CVE: CVE-2019-5428
Links:

Duplicate Advisory

This advisory is a duplicate of GHSA-6c3j-c64m-qhgq. This link is maintained to preserve external references.

Original Description

Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects.

Recommendation

Upgrade to version 3.4.0 or later.

Affected versions: ["3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

jQuery vulnerable to Cross-Site Scripting (XSS)

Published date: 2011-09-01
CVE: 2011-4969
CVSS V2: 4.3
Links:

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Affected versions: ["1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Cross-Site Scripting in jquery

Published date: 2020-09-01
Framework: rails
CVE: 2012-6708
CVSS V2: 4.3
CVSS V3: 6.1
Links:

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

Proof of Concept

$(#log).html( $(element[attribute='x\onerror=\alert(1)\/>']).html() );

Affected versions: ["2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

CSRF Vulnerability in jquery-rails

Published date: 2015-06-16
CVE: 2015-1840
CVSS V2: 5.0
Links:

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to https://attacker.com (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain.

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

link_to params

to code like this:

linkto filteredparams

def filtered_params # Filter just the parameters that you trust end

See also: - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/

Affected versions: ["4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Cross-Site Scripting (XSS) in jquery

Published date: 2018-01-22
Framework: rails
CVE: 2015-9251
CVSS V2: 6.1
CVSS V3: 6.1
Links:

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Affected versions: ["4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Prototype pollution attack through jQuery $.extend

Published date: 2019-04-19
Framework: rails
CVE: 2019-11358
CVSS V2: 4.3
CVSS V3: 6.1
Links:

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of bject.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Affected versions: ["4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29
Framework: rails
CVE: 2020-11023
CVSS V3: 6.9
Links:

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

Affected versions: ["4.3.5", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

Cross-Site Scripting in jquery

Published date: 2020-05-20
CVE: 2020-7656
CVSS V2: 4.3
CVSS V3: 6.1
Links:

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove , which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Affected versions: ["2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0, 4.5.0, 4.5.1, 4.6.0]
Recommendation: Update to version 4.6.0.

78 Other Versions

Version License Security Released
4.6.0 MIT 2023-06-26 - 21:56 over 1 year
4.5.1 MIT 2022-11-10 - 18:30 almost 2 years
4.5.0 MIT 2022-05-23 - 21:27 over 2 years
4.4.0 MIT 2020-05-08 - 15:51 over 4 years
4.3.5 MIT 5 2019-06-13 - 22:51 over 5 years
4.3.4 MIT 5 2019-06-13 - 22:49 over 5 years
4.3.3 MIT 7 2018-04-18 - 17:26 over 6 years
4.3.2 MIT 7 2018-04-18 - 17:24 over 6 years
4.3.1 MIT 7 2017-03-21 - 18:39 over 7 years
4.3.0 MIT 7 2017-03-21 - 18:36 over 7 years
4.2.2 MIT 7 2016-12-29 - 01:10 almost 8 years
4.2.1 MIT 7 2016-08-19 - 16:56 about 8 years
4.2.0 MIT 7 2016-08-19 - 16:53 about 8 years
4.1.1 MIT 9 2016-03-10 - 02:39 over 8 years
4.1.0 MIT 9 2016-01-12 - 23:34 almost 9 years
4.0.5 MIT 8 2015-09-01 - 05:37 about 9 years
4.0.4 MIT 8 2015-06-16 - 18:07 over 9 years
4.0.3 MIT 10 2014-12-29 - 21:19 almost 10 years
4.0.2 MIT 10 2014-12-19 - 23:51 almost 10 years
4.0.1 MIT 10 2014-12-16 - 16:22 almost 10 years
4.0.0 MIT 10 2014-11-26 - 00:29 almost 10 years
4.0.0.beta2 MIT 9 2014-09-06 - 03:17 about 10 years
4.0.0.beta1 MIT 9 2014-09-06 - 00:33 about 10 years
3.1.5 MIT 10 2018-04-18 - 17:35 over 6 years
3.1.4 MIT 10 2015-09-01 - 05:41 about 9 years
3.1.3 MIT 10 2015-06-16 - 18:08 over 9 years
3.1.2 MIT 11 2014-09-02 - 00:33 about 10 years
3.1.1 MIT 11 2014-06-23 - 14:37 over 10 years
3.1.0 MIT 11 2014-01-29 - 06:18 over 10 years
3.0.4 MIT 12 2013-07-11 - 03:45 over 11 years
3.0.3 MIT 12 2013-07-11 - 03:33 over 11 years
3.0.2 MIT 12 2013-07-04 - 18:51 over 11 years
3.0.1 MIT 12 2013-06-08 - 02:18 over 11 years
3.0.0 MIT 12 2013-05-29 - 06:52 over 11 years
2.3.0 MIT 12 2013-05-29 - 06:40 over 11 years
2.2.2 MIT 12 2013-05-29 - 05:50 over 11 years
2.2.1 MIT 12 2013-02-08 - 05:27 over 11 years
2.2.0 UNKNOWN 12 2013-01-19 - 17:13 over 11 years
2.1.4 UNKNOWN 14 2012-11-26 - 17:23 almost 12 years
2.1.3 UNKNOWN 15 2012-09-24 - 15:08 about 12 years
2.1.2 UNKNOWN 15 2012-09-06 - 23:48 about 12 years
2.1.1 UNKNOWN 15 2012-08-18 - 06:44 about 12 years
2.1.0 UNKNOWN 15 2012-08-16 - 20:04 about 12 years
2.0.3 UNKNOWN 16 2012-08-16 - 17:59 about 12 years
2.0.2 UNKNOWN 16 2012-04-03 - 17:56 over 12 years
2.0.1 UNKNOWN 16 2012-02-28 - 23:56 over 12 years
1.0.19 UNKNOWN 16 2011-11-26 - 05:26 almost 13 years
1.0.18 UNKNOWN 16 2011-11-18 - 17:44 almost 13 years
1.0.17 UNKNOWN 16 2011-11-09 - 17:37 almost 13 years
1.0.16 UNKNOWN 16 2011-10-12 - 21:28 about 13 years
1.0.15 UNKNOWN 17 2011-10-12 - 20:57 about 13 years
1.0.14 UNKNOWN 17 2011-09-08 - 20:52 about 13 years
1.0.13 UNKNOWN 17 2011-08-11 - 22:16 about 13 years
1.0.12 UNKNOWN 17 2011-06-23 - 06:37 over 13 years
1.0.11 UNKNOWN 17 2011-06-15 - 23:38 over 13 years
1.0.10 UNKNOWN 17 2011-06-14 - 02:34 over 13 years
1.0.9 UNKNOWN 17 2011-05-26 - 03:38 over 13 years
1.0.8 UNKNOWN 17 2011-05-26 - 03:31 over 13 years
1.0.7 UNKNOWN 17 2011-05-22 - 02:42 over 13 years
1.0.6 UNKNOWN 17 2011-05-21 - 19:25 over 13 years
1.0.5 UNKNOWN 17 2011-05-17 - 21:48 over 13 years
1.0.4 UNKNOWN 17 2011-05-17 - 17:16 over 13 years
1.0.3 UNKNOWN 17 2011-05-17 - 13:46 over 13 years
1.0.2 UNKNOWN 17 2011-05-12 - 21:12 over 13 years
1.0.1 UNKNOWN 17 2011-05-11 - 06:56 over 13 years
1.0 UNKNOWN 17 2011-05-04 - 08:43 over 13 years
1.0.rc UNKNOWN 17 2011-05-04 - 03:12 over 13 years
0.2.7 UNKNOWN 17 2011-02-05 - 20:33 over 13 years
0.2.6 UNKNOWN 17 2010-12-02 - 06:38 almost 14 years
0.2.5 UNKNOWN 17 2010-11-04 - 17:22 almost 14 years
0.2.4 UNKNOWN 17 2010-10-17 - 06:56 almost 14 years
0.2.3 UNKNOWN 17 2010-10-13 - 18:15 about 14 years
0.2.2 UNKNOWN 17 2010-10-08 - 21:45 about 14 years
0.2.1 UNKNOWN 17 2010-10-02 - 23:10 about 14 years
0.2 UNKNOWN 17 2010-10-02 - 18:12 about 14 years
0.1.3 UNKNOWN 17 2010-09-16 - 21:12 about 14 years
0.1.2 UNKNOWN 17 2010-08-18 - 08:46 about 14 years
0.1.1 UNKNOWN 17 2010-08-16 - 23:10 about 14 years