Description
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.3, < 3.5.0
- Patched version(s): 3.5.0
References
- GHSA-jpcq-cgw6-v4j6
- blog.jquery.com
- www.drupal.org
- www.debian.org
- www.oracle.com
- lists.opensuse.org
- security.gentoo.org
- lists.apache.org
- www.tenable.com
- lists.debian.org
- packetstormsecurity.com
- security.snyk.io
- lists.fedoraproject.org
- snyk.io
- security.netapp.com
- jquery.com
- CVE-2020-11023
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Denial of Service in jquery - CVE-2016-10707
- webfinger.js Blind SSRF Vulnerability - CVE-2025-54590
- files.photo.gallery command injection - CVE-2024-53615
- Potential XSS vulnerability in jQuery (GHSA-gxr4-xjj5-5px2) - CVE-2020-11022
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on January 31, 2025