Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Release Notes
jquery/jquery (jquery)
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/tag/3.5.0): jQuery 3.5.0 Released!
[Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0)
See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/
**NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details.
### [`v3.4.1`](https://togithub.com/jquery/jquery/compare/3.4.0...3.4.1)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.4.0...3.4.1)
### [`v3.4.0`](https://togithub.com/jquery/jquery/compare/3.3.1...3.4.0)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.3.1...3.4.0)
### [`v3.3.1`](https://togithub.com/jquery/jquery/compare/3.3.0...3.3.1)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.3.0...3.3.1)
### [`v3.3.0`](https://togithub.com/jquery/jquery/compare/3.2.1...3.3.0)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.2.1...3.3.0)
### [`v3.2.1`](https://togithub.com/jquery/jquery/compare/3.2.0...3.2.1)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.2.0...3.2.1)
### [`v3.2.0`](https://togithub.com/jquery/jquery/compare/3.1.1...3.2.0)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.1.1...3.2.0)
### [`v3.1.1`](https://togithub.com/jquery/jquery/compare/3.1.0...3.1.1)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.1.0...3.1.1)
### [`v3.1.0`](https://togithub.com/jquery/jquery/compare/3.0.0...3.1.0)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.0.0...3.1.0)
### [`v3.0.0`](https://togithub.com/jquery/jquery/compare/2.2.4...3.0.0)
[Compare Source](https://togithub.com/jquery/jquery/compare/2.2.4...3.0.0)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.2.4
->3.5.0
GitHub Vulnerability Alerts
CVE-2020-11022
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html()
,.append()
, and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2015-9251
Affected versions of
jquery
interprettext/javascript
responses from cross-origin ajax requests, and automatically execute the contents injQuery.globalEval
, even when the ajax request doesn't contain thedataType
option.Recommendation
Update to version 3.0.0 or later.
CVE-2020-23064
Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the
<options>
element.CVE-2019-11358
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...)
because ofObject.prototype
pollution. If an unsanitized source object contained an enumerable__proto__
property, it could extend the nativeObject.prototype
.Release Notes
jquery/jquery (jquery)
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/tag/3.5.0): jQuery 3.5.0 Released! [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0) See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/ **NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details. ### [`v3.4.1`](https://togithub.com/jquery/jquery/compare/3.4.0...3.4.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.0...3.4.1) ### [`v3.4.0`](https://togithub.com/jquery/jquery/compare/3.3.1...3.4.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.3.1...3.4.0) ### [`v3.3.1`](https://togithub.com/jquery/jquery/compare/3.3.0...3.3.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.3.0...3.3.1) ### [`v3.3.0`](https://togithub.com/jquery/jquery/compare/3.2.1...3.3.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.2.1...3.3.0) ### [`v3.2.1`](https://togithub.com/jquery/jquery/compare/3.2.0...3.2.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.2.0...3.2.1) ### [`v3.2.0`](https://togithub.com/jquery/jquery/compare/3.1.1...3.2.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.1.1...3.2.0) ### [`v3.1.1`](https://togithub.com/jquery/jquery/compare/3.1.0...3.1.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.1.0...3.1.1) ### [`v3.1.0`](https://togithub.com/jquery/jquery/compare/3.0.0...3.1.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.0.0...3.1.0) ### [`v3.0.0`](https://togithub.com/jquery/jquery/compare/2.2.4...3.0.0) [Compare Source](https://togithub.com/jquery/jquery/compare/2.2.4...3.0.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.