NodeJS/jquery/3.3.1

JavaScript library for DOM operations

https://www.npmjs.com/package/jquery
MIT

5 Security Vulnerabilities

jQuery Cross Site Scripting vulnerability

Published date: 2023-06-26T21:30:58Z
CVE: CVE-2020-23064
Links:

Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.

Affected versions: ["1.5.1", "1.6.2", "1.6.3", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "2.1.0-beta2", "2.1.0-beta3", "1.11.0-beta3", "1.11.0-rc1", "2.1.0-rc1", "1.11.0", "2.1.0", "2.1.1-beta1", "1.11.1-beta1", "2.1.1-rc1", "1.11.1-rc1", "2.1.1-rc2", "1.11.1-rc2", "2.1.1", "1.11.1", "1.9.1", "2.1.2", "1.11.2", "2.1.3", "2.1.4", "1.11.3", "3.0.0-alpha1", "1.12.0", "2.2.0", "3.0.0-beta1", "1.12.1", "2.2.1", "1.12.2", "2.2.2", "1.12.3", "2.2.3", "1.12.4", "2.2.4", "3.0.0-rc1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1", "3.4.0", "3.4.1"]
Secure versions: [3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1, 4.0.0-beta]
Recommendation: Update to version 3.7.1.

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

Published date: 2019-04-26T16:29:11Z
CVE: CVE-2019-11358
Links:

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Affected versions: ["1.5.1", "1.6.2", "1.6.3", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "2.1.0-beta2", "2.1.0-beta3", "1.11.0-beta3", "1.11.0-rc1", "2.1.0-rc1", "1.11.0", "2.1.0", "2.1.1-beta1", "1.11.1-beta1", "2.1.1-rc1", "1.11.1-rc1", "2.1.1-rc2", "1.11.1-rc2", "2.1.1", "1.11.1", "1.9.1", "2.1.2", "1.11.2", "2.1.3", "2.1.4", "1.11.3", "3.0.0-alpha1", "1.12.0", "2.2.0", "3.0.0-beta1", "1.12.1", "2.2.1", "1.12.2", "2.2.2", "1.12.3", "2.2.3", "1.12.4", "2.2.4", "3.0.0-rc1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1"]
Secure versions: [3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1, 4.0.0-beta]
Recommendation: Update to version 3.7.1.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29T22:18:55Z
CVE: CVE-2020-11022
Links:

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
    return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Affected versions: ["1.5.1", "1.6.2", "1.6.3", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "2.1.0-beta2", "2.1.0-beta3", "1.11.0-beta3", "1.11.0-rc1", "2.1.0-rc1", "1.11.0", "2.1.0", "2.1.1-beta1", "1.11.1-beta1", "2.1.1-rc1", "1.11.1-rc1", "2.1.1-rc2", "1.11.1-rc2", "2.1.1", "1.11.1", "1.9.1", "2.1.2", "1.11.2", "2.1.3", "2.1.4", "1.11.3", "3.0.0-alpha1", "1.12.0", "2.2.0", "3.0.0-beta1", "1.12.1", "2.2.1", "1.12.2", "2.2.2", "1.12.3", "2.2.3", "1.12.4", "2.2.4", "3.0.0-rc1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1", "3.4.0", "3.4.1"]
Secure versions: [3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1, 4.0.0-beta]
Recommendation: Update to version 3.7.1.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29T22:19:14Z
CVE: CVE-2020-11023
Links:

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Affected versions: ["1.5.1", "1.6.2", "1.6.3", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "2.1.0-beta2", "2.1.0-beta3", "1.11.0-beta3", "1.11.0-rc1", "2.1.0-rc1", "1.11.0", "2.1.0", "2.1.1-beta1", "1.11.1-beta1", "2.1.1-rc1", "1.11.1-rc1", "2.1.1-rc2", "1.11.1-rc2", "2.1.1", "1.11.1", "1.9.1", "2.1.2", "1.11.2", "2.1.3", "2.1.4", "1.11.3", "3.0.0-alpha1", "1.12.0", "2.2.0", "3.0.0-beta1", "1.12.1", "2.2.1", "1.12.2", "2.2.2", "1.12.3", "2.2.3", "1.12.4", "2.2.4", "3.0.0-rc1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1", "3.4.0", "3.4.1"]
Secure versions: [3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1, 4.0.0-beta]
Recommendation: Update to version 3.7.1.

Duplicate Advisory: Prototype Pollution in jquery

Published date: 2019-04-23T15:59:10Z
CVE: CVE-2019-5428
Links:

Duplicate Advisory

This advisory is a duplicate of GHSA-6c3j-c64m-qhgq. This link is maintained to preserve external references.

Original Description

Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects.

Recommendation

Upgrade to version 3.4.0 or later.

Affected versions: ["1.5.1", "1.6.2", "1.6.3", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "2.1.0-beta2", "2.1.0-beta3", "1.11.0-beta3", "1.11.0-rc1", "2.1.0-rc1", "1.11.0", "2.1.0", "2.1.1-beta1", "1.11.1-beta1", "2.1.1-rc1", "1.11.1-rc1", "2.1.1-rc2", "1.11.1-rc2", "2.1.1", "1.11.1", "1.9.1", "2.1.2", "1.11.2", "2.1.3", "2.1.4", "1.11.3", "3.0.0-alpha1", "1.12.0", "2.2.0", "3.0.0-beta1", "1.12.1", "2.2.1", "1.12.2", "2.2.2", "1.12.3", "2.2.3", "1.12.4", "2.2.4", "3.0.0-rc1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1"]
Secure versions: [3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1, 4.0.0-beta]
Recommendation: Update to version 3.7.1.

60 Other Versions

Version License Security Released
4.0.0-beta MIT 2024-02-06 - 16:43 2 months
3.7.1 MIT 2023-08-28 - 13:39 8 months
3.7.0 MIT 2023-05-11 - 18:32 11 months
3.6.4 MIT 2023-03-08 - 15:32 about 1 year
3.6.3 MIT 2022-12-20 - 21:34 over 1 year
3.6.2 MIT 2022-12-13 - 14:58 over 1 year
3.6.1 MIT 2022-08-26 - 17:54 over 1 year
3.6.0 MIT 2021-03-02 - 17:12 about 3 years
3.5.1 MIT 2020-05-04 - 22:50 almost 4 years
3.5.0 MIT 2020-04-10 - 15:41 about 4 years
3.4.1 MIT 3 2019-05-01 - 21:19 almost 5 years
3.4.0 MIT 3 2019-04-10 - 19:53 about 5 years
3.3.1 MIT 5 2018-01-20 - 17:27 about 6 years
3.3.0 MIT 5 2018-01-19 - 19:03 about 6 years
3.2.1 MIT 5 2017-03-20 - 19:02 about 7 years
3.2.0 MIT 5 2017-03-16 - 21:30 about 7 years
3.1.1 MIT 5 2016-09-22 - 22:32 over 7 years
3.1.0 MIT 5 2016-07-07 - 21:46 almost 8 years
3.0.0 MIT 5 2016-06-09 - 18:33 almost 8 years
3.0.0-rc1 MIT 6 2016-05-20 - 19:13 almost 8 years
3.0.0-beta1 MIT 6 2016-01-14 - 23:09 over 8 years
3.0.0-alpha1 MIT 6 2015-07-13 - 19:26 almost 9 years
2.2.4 MIT 7 2016-05-20 - 17:26 almost 8 years
2.2.3 MIT 7 2016-04-05 - 19:27 about 8 years
2.2.2 MIT 7 2016-03-17 - 17:52 about 8 years
2.2.1 MIT 7 2016-02-22 - 19:12 about 8 years
2.2.0 MIT 7 2016-01-08 - 20:03 over 8 years
2.1.4 MIT 7 2015-04-28 - 16:17 almost 9 years
2.1.3 MIT 7 2014-12-18 - 15:18 over 9 years
2.1.2 MIT 7 2014-12-17 - 14:14 over 9 years
2.1.1 MIT 7 2014-05-01 - 17:15 almost 10 years
2.1.1-rc2 MIT 7 2014-04-21 - 20:52 almost 10 years
2.1.1-rc1 MIT 7 2014-04-18 - 15:29 about 10 years
2.1.1-beta1 MIT 7 2014-03-24 - 17:05 about 10 years
2.1.0 MIT 7 2014-01-23 - 21:12 about 10 years
2.1.0-rc1 MIT 7 2014-01-17 - 22:47 over 10 years
2.1.0-beta3 MIT 7 2013-12-20 - 22:53 over 10 years
2.1.0-beta2 MIT 7 2013-11-15 - 16:34 over 10 years
1.12.4 MIT 7 2016-05-20 - 17:19 almost 8 years
1.12.3 MIT 7 2016-04-05 - 19:21 about 8 years
1.12.2 MIT 5 2016-03-17 - 17:45 about 8 years
1.12.1 MIT 6 2016-02-22 - 19:08 about 8 years
1.12.0 MIT 6 2016-01-08 - 19:58 over 8 years
1.11.3 MIT 7 2015-04-28 - 16:22 almost 9 years
1.11.2 MIT 7 2014-12-17 - 16:07 over 9 years
1.11.1 MIT 7 2014-05-01 - 18:05 almost 10 years
1.11.1-rc2 MIT 7 2014-04-21 - 21:12 almost 10 years
1.11.1-rc1 MIT 7 2014-04-18 - 15:40 about 10 years
1.11.1-beta1 MIT 7 2014-03-24 - 17:25 about 10 years
1.11.0 MIT 7 2014-01-23 - 21:07 about 10 years
1.11.0-rc1 MIT 7 2014-01-16 - 21:08 over 10 years
1.11.0-beta3 MIT 7 2014-01-06 - 19:57 over 10 years
1.9.1 MIT 7 2014-07-17 - 22:01 almost 10 years
1.8.3 MIT 10 2012-12-01 - 00:03 over 11 years
1.8.2 MIT 10 2012-11-11 - 22:43 over 11 years
1.7.3 MIT 10 2012-07-01 - 16:11 almost 12 years
1.7.2 MIT 10 2012-05-01 - 11:14 almost 12 years
1.6.3 MIT 9 2011-09-12 - 19:05 over 12 years
1.6.2 MIT 10 2011-07-06 - 16:13 almost 13 years
1.5.1 MIT 10 2011-03-19 - 07:19 about 13 years