Your submission was sent successfully! Close

CVE-2020-7656

Published: 19 May 2020

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Priority

Low

CVSS 3 base score: 6.1

Status

Package Release Status
jquery
Launchpad, Ubuntu, Debian 		bionic Not vulnerable
(3.2.1-1)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(3.3.1~dfsg-3)
precise Ignored

trusty Ignored

upstream
Released (1.9.0)
xenial Ignored

Notes

AuthorNote
mdeslaur 
This is likely an intrusive, backwards-incompatible change that
may break existing software. We will not be fixing this issue
in stable Ubuntu releases.

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading