-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2020-11023.yml
More file actions
26 lines (23 loc) · 764 Bytes
/
CVE-2020-11023.yml
File metadata and controls
26 lines (23 loc) · 764 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
gem: jquery-rails
framework: rails
cve: 2020-11023
ghsa: jpcq-cgw6-v4j6
date: 2020-04-29
url: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
title: Potential XSS vulnerability in jQuery
description: |
## Impact
Passing HTML containing `<option>` elements from untrusted sources - even after
sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`,
`.append()`, and others) may execute untrusted code.
## Workarounds
To workaround this issue without upgrading, use DOMPurify with its
`SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a
jQuery method.
cvss_v3: 6.9
patched_versions:
- ">= 4.4.0"
related:
url:
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440