Your submission was sent successfully! Close

CVE-2020-11023

Published: 29 April 2020

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Notes

AuthorNote
mdeslaur
This is likely an intrusive, backwards-incompatible change that
may break existing software.
Priority

Low

CVSS 3 base score: 6.1

Status

Package Release Status
drupal7
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
jquery
Launchpad, Ubuntu, Debian
bionic Needed

eoan Ignored
(reached end-of-life)
focal Needed

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/jquery/jquery/pull/4647/commits/25c0a6e0523b3b2d501f4f7c66a3f351fa96ca32