CVE-2020-7656 (jquery-rails): Cross-Site Scripting in jquery

Cross-Site Scripting in jquery

Published: May 20, 2020

SEVERITY

CVSS v3.x: 6.1 (Medium)

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

>= 2.1.4

DESCRIPTION

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

https://nvd.nist.gov/vuln/detail/CVE-2020-7656
https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013
https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481
https://github.com/advisories/GHSA-q4m3-2j7h-f7xw

RubySec

CVE-2020-7656 (jquery-rails): Cross-Site Scripting in jquery

Cross-Site Scripting in jquery

SECURITY IDENTIFIERS

GEM

FRAMEWORK

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories