Skip to content

Potential XSS vulnerability in jQuery

Moderate severity GitHub Reviewed Published Apr 29, 2020 in jquery/jquery • Updated Apr 25, 2022

Package

npm jquery (npm)

Affected versions

>= 1.0.3, < 3.5.0

Patched versions

3.5.0

Description

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

References

@timmywil timmywil published the maintainer security advisory Apr 29, 2020

Severity

Moderate
6.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Weaknesses

CVE ID

CVE-2020-11023

GHSA ID

GHSA-jpcq-cgw6-v4j6

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.