slurp icon indicating copy to clipboard operation
slurp copied to clipboard

Published 20 hours ago • verified publisher icon slurpcode

CVE-2020-11022 (Medium) detected in jquery-3.1.1.min.js

Open mend-bolt-for-github[bot] opened this issue 5 years ago • 1 comments

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js

Path to dependency file: /rubycritic/seek/seek.html

Path to vulnerable library: /rubycritic/seek/../assets/vendor/javascripts/jquery.min.js,/rubycritic/scrapers/ruby/nokogiri/../../../assets/vendor/javascripts/jquery.min.js,/rubycritic/well-formed/../assets/vendor/javascripts/jquery.min.js,/rubycritic/drivers/../assets/vendor/javascripts/jquery.min.js,/rubycritic/charts/../assets/vendor/javascripts/jquery.min.js,/rubycritic/built-in-datatypes/../assets/vendor/javascripts/jquery.min.js,/rubycritic/ruby-strip/../assets/vendor/javascripts/jquery.min.js,/rubycritic/ruby-eclipse-cheatsheets-to-dita/../assets/vendor/javascripts/jquery.min.js,/rubycritic/assets/vendor/javascripts/jquery.min.js,/rubycritic/hashcheck/../assets/vendor/javascripts/jquery.min.js

Dependency Hierarchy:

  • :x: jquery-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ef3d24fa88d80ad14eb3a3575dccaaa2f74d313d

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Release Date: 2020-03-16

Fix Resolution: Replace or update the following files: offset.js, data.js, attributes.js, deprecated.js, selector.js, traversing.js, css.js, testinit.js, localfile.html, core.js, event.js, effects.js, wrap.js, ajax.js, manipulation.js, manipulation.js, dimensions.js, basic.js

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar May 01 '20 15:05 mend-bolt-for-github[bot]