Description
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.12.0, < 3.5.0
- Patched version(s): 3.5.0
References
- GHSA-gxr4-xjj5-5px2
- www.drupal.org
- www.debian.org
- www.oracle.com
- security.gentoo.org
- lists.apache.org
- www.tenable.com
- lists.debian.org
- lists.fedoraproject.org
- blog.jquery.com
- jquery.com
- lists.opensuse.org
- packetstormsecurity.com
- security.netapp.com
- CVE-2020-11022
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- Potential XSS in jQuery dependency in Mirador - Vulnerability
- Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter - CVE-2020-19697
- Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter - CVE-2020-19698
You might also like:
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on April 13, 2026