ADVISORIES

• CVE-2020-11022 (NVD)
• GHSA-gxr4-xjj5-5px2
• Vendor Advisory

GEM

jquery-rails

SEVERITY

CVSS v3.x: 6.9 (Medium)

CVSS v2.0: 4.3 (Medium)

UNAFFECTED VERSIONS

• < 1.2.0

PATCHED VERSIONS

• >= 3.5.0

DESCRIPTION

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
  return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo.

If you don't find an answer, open a new issue."

RELATED

• https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
• https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
• https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
• https://jquery.com/upgrade-guide/3.5/
• https://nvd.nist.gov/vuln/detail/CVE-2020-11022
• https://security.netapp.com/advisory/ntap-20200511-0006/
• https://www.drupal.org/sa-core-2020-002
• https://www.debian.org/security/2020/dsa-4693
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
• https://www.oracle.com/security-alerts/cpujul2020.html
• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
• https://security.gentoo.org/glsa/202007-03
• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
• https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@
• https://github.com/advisories/GHSA-gxr4-xjj5-5px2
• https://www.npmjs.com/advisories/1518
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@
• https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@
• http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
• https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@
• https://www.tenable.com/security/tns-2020-10
• https://www.tenable.com/security/tns-2020-11
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@
• https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@
• https://www.tenable.com/security/tns-2021-02
• https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
• http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
• https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@
• https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@
• https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@
• https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@
• https://www.tenable.com/security/tns-2021-10
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@
• https://github.com/jquery/jquery/releases/tag/3.5.0
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html