Описание
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| jquery | removed | package | ||
| jquery | fixed | 3.3.1~dfsg-3+deb10u1 | buster | package |
| jquery | not-affected | jessie | package | |
| drupal7 | removed | package | ||
| drupal7 | not-affected | jessie | package | |
| node-jquery | fixed | 3.5.0+dfsg-2 | package | |
| node-jquery | no-dsa | buster | package | |
| otrs2 | fixed | 6.0.30-1 | package | |
| otrs2 | ignored | stretch | package |
Примечания
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
https://www.drupal.org/sa-core-2020-002
https://otrs.com/release-notes/otrs-security-advisory-2020-14/
Связанные уязвимости
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
