Ruby/jquery-rails/4.3.0

This gem provides jQuery and the jQuery-ujs driver for your Rails 4+ application.

Repo Link: https://rubygems.org/gems/jquery-rails
License: MIT

4 Security Vulnerabilities

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

Published date: 2019-04-26T16:29:11Z

CVE: CVE-2019-11358

Links:

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Affected versions: ["4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]

Secure versions: [4.4.0, 4.5.0, 4.5.1]

Recommendation: Update to version 4.5.1.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29T22:19:14Z

CVE: CVE-2020-11023

Links:

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Affected versions: ["4.3.5", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]

Secure versions: [4.4.0, 4.5.0, 4.5.1]

Recommendation: Update to version 4.5.1.

Prototype pollution attack through jQuery $.extend

Published date: 2019-04-19

Framework: rails

CVE: 2019-11358

CVSS V2: 4.3

CVSS V3: 6.1

Links:

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of bject.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Secure versions: [4.4.0, 4.5.0, 4.5.1]

Recommendation: Update to version 4.5.1.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29

Framework: rails

CVE: 2020-11023

CVSS V3: 6.9

Links:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Impact

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

Secure versions: [4.4.0, 4.5.0, 4.5.1]

Recommendation: Update to version 4.5.1.

77 Other Versions

Version	License	Security	Released
4.5.1	MIT		2022-11-10 - 18:30	7 months
4.5.0	MIT		2022-05-23 - 21:27	about 1 year
4.4.0	MIT		2020-05-08 - 15:51	about 3 years
4.3.5	MIT	2	2019-06-13 - 22:51	almost 4 years
4.3.4	MIT	2	2019-06-13 - 22:49	almost 4 years
4.3.3	MIT	4	2018-04-18 - 17:26	about 5 years
4.3.2	MIT	4	2018-04-18 - 17:24	about 5 years
4.3.1	MIT	4	2017-03-21 - 18:39	about 6 years
4.3.0	MIT	4	2017-03-21 - 18:36	about 6 years
4.2.2	MIT	4	2016-12-29 - 01:10	over 6 years
4.2.1	MIT	4	2016-08-19 - 16:56	almost 7 years
4.2.0	MIT	4	2016-08-19 - 16:53	almost 7 years
4.1.1	MIT	4	2016-03-10 - 02:39	about 7 years
4.1.0	MIT	4	2016-01-12 - 23:34	over 7 years
4.0.5	MIT	4	2015-09-01 - 05:37	almost 8 years
4.0.4	MIT	4	2015-06-16 - 18:07	almost 8 years
4.0.3	MIT	6	2014-12-29 - 21:19	over 8 years
4.0.2	MIT	6	2014-12-19 - 23:51	over 8 years
4.0.1	MIT	6	2014-12-16 - 16:22	over 8 years
4.0.0	MIT	6	2014-11-26 - 00:29	over 8 years
4.0.0.beta2	MIT	5	2014-09-06 - 03:17	over 8 years
4.0.0.beta1	MIT	5	2014-09-06 - 00:33	over 8 years
3.1.5	MIT	4	2018-04-18 - 17:35	about 5 years
3.1.4	MIT	4	2015-09-01 - 05:41	almost 8 years
3.1.3	MIT	4	2015-06-16 - 18:08	almost 8 years
3.1.2	MIT	5	2014-09-02 - 00:33	almost 9 years
3.1.1	MIT	5	2014-06-23 - 14:37	almost 9 years
3.1.0	MIT	5	2014-01-29 - 06:18	over 9 years
3.0.4	MIT	6	2013-07-11 - 03:45	almost 10 years
3.0.3	MIT	6	2013-07-11 - 03:33	almost 10 years
3.0.2	MIT	6	2013-07-04 - 18:51	almost 10 years
3.0.1	MIT	6	2013-06-08 - 02:18	almost 10 years
3.0.0	MIT	6	2013-05-29 - 06:52	about 10 years
2.3.0	MIT	6	2013-05-29 - 06:40	about 10 years
2.2.2	MIT	6	2013-05-29 - 05:50	about 10 years
2.2.1	MIT	6	2013-02-08 - 05:27	over 10 years
2.2.0	UNKNOWN	6	2013-01-19 - 17:13	over 10 years
2.1.4	UNKNOWN	6	2012-11-26 - 17:23	over 10 years
2.1.3	UNKNOWN	6	2012-09-24 - 15:08	over 10 years
2.1.2	UNKNOWN	6	2012-09-06 - 23:48	over 10 years
2.1.1	UNKNOWN	6	2012-08-18 - 06:44	almost 11 years
2.1.0	UNKNOWN	6	2012-08-16 - 20:04	almost 11 years
2.0.3	UNKNOWN	6	2012-08-16 - 17:59	almost 11 years
2.0.2	UNKNOWN	6	2012-04-03 - 17:56	about 11 years
2.0.1	UNKNOWN	6	2012-02-28 - 23:56	over 11 years
1.0.19	UNKNOWN	6	2011-11-26 - 05:26	over 11 years
1.0.18	UNKNOWN	6	2011-11-18 - 17:44	over 11 years
1.0.17	UNKNOWN	6	2011-11-09 - 17:37	over 11 years
1.0.16	UNKNOWN	6	2011-10-12 - 21:28	over 11 years
1.0.15	UNKNOWN	6	2011-10-12 - 20:57	over 11 years
1.0.14	UNKNOWN	6	2011-09-08 - 20:52	over 11 years
1.0.13	UNKNOWN	6	2011-08-11 - 22:16	almost 12 years
1.0.12	UNKNOWN	6	2011-06-23 - 06:37	almost 12 years
1.0.11	UNKNOWN	6	2011-06-15 - 23:38	almost 12 years
1.0.10	UNKNOWN	6	2011-06-14 - 02:34	almost 12 years
1.0.9	UNKNOWN	6	2011-05-26 - 03:38	about 12 years
1.0.8	UNKNOWN	6	2011-05-26 - 03:31	about 12 years
1.0.7	UNKNOWN	6	2011-05-22 - 02:42	about 12 years
1.0.6	UNKNOWN	6	2011-05-21 - 19:25	about 12 years
1.0.5	UNKNOWN	6	2011-05-17 - 21:48	about 12 years
1.0.4	UNKNOWN	6	2011-05-17 - 17:16	about 12 years
1.0.3	UNKNOWN	6	2011-05-17 - 13:46	about 12 years
1.0.2	UNKNOWN	6	2011-05-12 - 21:12	about 12 years
1.0.1	UNKNOWN	6	2011-05-11 - 06:56	about 12 years
1.0	UNKNOWN	6	2011-05-04 - 08:43	about 12 years
1.0.rc	UNKNOWN	6	2011-05-04 - 03:12	about 12 years
0.2.7	UNKNOWN	6	2011-02-05 - 20:33	over 12 years
0.2.6	UNKNOWN	6	2010-12-02 - 06:38	over 12 years
0.2.5	UNKNOWN	6	2010-11-04 - 17:22	over 12 years
0.2.4	UNKNOWN	6	2010-10-17 - 06:56	over 12 years
0.2.3	UNKNOWN	6	2010-10-13 - 18:15	over 12 years
0.2.2	UNKNOWN	6	2010-10-08 - 21:45	over 12 years
0.2.1	UNKNOWN	6	2010-10-02 - 23:10	over 12 years
0.2	UNKNOWN	6	2010-10-02 - 18:12	over 12 years
0.1.3	UNKNOWN	6	2010-09-16 - 21:12	over 12 years
0.1.2	UNKNOWN	6	2010-08-18 - 08:46	almost 13 years
0.1.1	UNKNOWN	6	2010-08-16 - 23:10	almost 13 years