Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Security] Jquery 3.1.1 is vulnerable to untrusted code execution
See original GitHub issueDescription
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code (see CVE-2020-11022 and CVE-2020-11023)
Expected behavior
Update jquery to the version 3.5 or newer in https://github.com/astropy/astropy/tree/main/astropy/extern/jquery/data/js
Actual behavior
jquery version 3.1.1 is distributed with the latest astropy release
Issue Analytics
- State:
- Created a year ago
- Comments:9 (8 by maintainers)
Top Results From Across the Web
jquery@3.1.1 - Snyk Vulnerability Database
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Passing HTML from untrusted sources - even after sanitizing it - to...
Read more >Jquery : Security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine...
1 CVE‑2021‑41184 79 Exec Code XSS 2021‑10‑26 2022‑11‑07 4.3 None
2 CVE‑2021‑41183...
Read more >jquery-3.1.1.min.js: 3 vulnerabilities (highest severity is: 6.1)
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing...
Read more >CVE-2020-11022 Detail - NVD
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it -...
Read more >CVE-2020-11023 - Red Hat Customer Portal
The highest threat from this vulnerability is to data confidentiality and integrity. A flaw was found in jQuery. HTML containing elements from untrusted...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Re: backport – we have a bot to do that, so you don’t have to worry about manually cherry-picking 😸
I’ll see what I can do about a PR tomorrow 😃 I’d get the jquery update from https://releases.jquery.com/jquery/, latest version is 3.6.0.