Описание
Duplicate Advisory: jQuery Cross Site Scripting vulnerability
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-jpcq-cgw6-v4j6. This link is maintained to preserve external references.
Original Description
Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-23064
- https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
- https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
- https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
- https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml
- https://security.netapp.com/advisory/ntap-20230725-0003
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
Пакеты
jquery
>= 1.0.3, < 3.5.0
3.5.0
jQuery
>= 1.0.3, < 3.5.0
3.5.0
jquery-rails
< 4.4.0
4.4.0
org.webjars.npm:jquery
>= 1.0.3, < 3.5.0
3.5.0
Связанные уязвимости
A flaw was found in jQuery, where it is vulnerable to Cross-site scripting, caused by the improper validation of user-supplied input by the <options> element. This flaw allows a remote attacker to use a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-11023. Reason: This candidate is a duplicate of CVE-2020-11023. Notes: All CVE users should reference CVE-2020-11023 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Уязвимость библиотеки jQuery, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнить межсайтовй скриптинг