Your submission was sent successfully! Close

CVE-2020-7656

Published: 19 May 2020

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Priority

Low

CVSS 3 base score: 6.1

Status

Package Release Status
jquery
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(3.2.1-1)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(3.3.1~dfsg-3)
precise Ignored

trusty Ignored

upstream
Released (1.9.0)
xenial Ignored

Notes

AuthorNote
mdeslaur
This is likely an intrusive, backwards-incompatible change that
may break existing software. We will not be fixing this issue
in stable Ubuntu releases.

References

Bugs