First published: Thu Apr 23 2020(Updated: )
### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/qpid-dispatch | <0:1.13.0-3.el6_10 | 0:1.13.0-3.el6_10 |
redhat/qpid-dispatch | <0:1.13.0-3.el7 | 0:1.13.0-3.el7 |
redhat/qpid-dispatch | <0:1.13.0-3.el8 | 0:1.13.0-3.el8 |
redhat/jaeger | <0:v1.13.1.redhat7-1.el7 | 0:v1.13.1.redhat7-1.el7 |
redhat/kiali | <0:v1.0.11.redhat1-1.el7 | 0:v1.0.11.redhat1-1.el7 |
redhat/servicemesh-grafana | <0:6.2.2-36.el8 | 0:6.2.2-36.el8 |
redhat/ipa | <0:4.6.8-5.el7 | 0:4.6.8-5.el7 |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el8ea | 0:3.3.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el9ea | 0:3.3.16-1.Final_redhat_00001.1.el9ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el7ea | 0:3.3.16-1.Final_redhat_00001.1.el7ea |
redhat/atomic-openshift-web-console | <0:3.11.219-1.git.1.9b9b889.el7 | 0:3.11.219-1.git.1.9b9b889.el7 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
redhat/ovirt-engine-ui-extensions | <0:1.2.2-1.el8e | 0:1.2.2-1.el8e |
redhat/ovirt-web-ui | <0:1.6.4-1.el8e | 0:1.6.4-1.el8e |
debian/jquery | 3.3.1~dfsg-3+deb10u1 | |
debian/node-jquery | <=2.2.4+dfsg-4 | 3.5.1+dfsg+~3.5.5-7 3.6.1+dfsg+~3.5.14-1 |
debian/otrs2 | <=6.0.16-2 | 6.0.16-2+deb10u1 6.0.32-6 |
redhat/jquery | <3.5.0 | 3.5.0 |
Jquery Jquery | >=1.2<3.5.0 | |
Drupal Drupal | >=7.0<7.70 | |
Drupal Drupal | >=8.7.0<8.7.14 | |
Drupal Drupal | >=8.8.0<8.8.6 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Oracle Agile Product Lifecycle Management for Process | =6.2.0.0 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Banking Digital Experience | =18.1 | |
Oracle Banking Digital Experience | =18.2 | |
Oracle Banking Digital Experience | =18.3 | |
Oracle Banking Digital Experience | =19.1 | |
Oracle Banking Digital Experience | =19.2 | |
Oracle Banking Digital Experience | =20.1 | |
Oracle Blockchain Platform | <21.1.2 | |
Oracle Communications Application Session Controller | =3.8m0 | |
Oracle Communications Billing and Revenue Management | =7.5.0.23.0 | |
Oracle Communications Billing and Revenue Management | =12.0.0.3.0 | |
Oracle Communications Diameter Signaling Router Idih\ | >=8.0.0<=8.2.2 | |
Oracle Communications EAGLE Application Processor | >=16.1.0<=16.4.0 | |
Oracle Communications Services Gatekeeper | =7.0 | |
Oracle Communications WebRTC Session Controller | =7.2 | |
Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
Oracle Enterprise Session Border Controller | =8.4 | |
Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6.0.0<=8.1.0.0.0 | |
Oracle Financial Services Analytical Applications Reconciliation Framework | >=8.0.6<=8.0.8 | |
Oracle Financial Services Analytical Applications Reconciliation Framework | =8.1.0 | |
Oracle Financial Services Asset Liability Management | =8.0.6 | |
Oracle Financial Services Asset Liability Management | =8.0.7 | |
Oracle Financial Services Asset Liability Management | =8.1.0 | |
Oracle Financial Services Balance Sheet Planning | =8.0.8 | |
Oracle Financial Services Basel Regulatory Capital Basic | >=8.0.6<=8.0.8 | |
Oracle Financial Services Basel Regulatory Capital Basic | =8.1.0 | |
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach | >=8.0.6<=8.0.8 | |
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach | =8.1.0 | |
Oracle Financial Services Data Foundation | >=8.0.6<=8.1.0 | |
Oracle Financial Services Data Governance For Us Regulatory Reporting | >=8.0.6<=8.0.9 | |
Oracle Financial Services Data Integration Hub | =8.0.6 | |
Oracle Financial Services Data Integration Hub | =8.0.7 | |
Oracle Financial Services Data Integration Hub | =8.1.0 | |
Oracle Financial Services Funds Transfer Pricing | =8.0.6 | |
Oracle Financial Services Funds Transfer Pricing | =8.0.7 | |
Oracle Financial Services Funds Transfer Pricing | =8.1.0 | |
Oracle Financial Services Hedge Management and IFRS Valuations | >=8.0.6<=8.0.8 | |
Oracle Financial Services Hedge Management and IFRS Valuations | =8.1.0 | |
Oracle Financial Services Institutional Performance Analytics | =8.0.6 | |
Oracle Financial Services Institutional Performance Analytics | =8.0.7 | |
Oracle Financial Services Institutional Performance Analytics | =8.1.0 | |
Oracle Financial Services Liquidity Risk Management | =8.0.6 | |
Oracle Financial Services Liquidity Risk Measurement and Management | =8.0.7 | |
Oracle Financial Services Liquidity Risk Measurement and Management | =8.0.8 | |
Oracle Financial Services Liquidity Risk Measurement and Management | =8.1.0 | |
Oracle Financial Services Loan Loss Forecasting and Provisioning | >=8.0.6<=8.0.8 | |
Oracle Financial Services Loan Loss Forecasting and Provisioning | =8.1.0 | |
Oracle Financial Services Market Risk Measurement and Management | =8.0.6 | |
Oracle Financial Services Market Risk Measurement and Management | =8.0.8 | |
Oracle Financial Services Price Creation and Discovery | =8.0.6 | |
Oracle Financial Services Price Creation and Discovery | =8.0.7 | |
Oracle Financial Services Profitability Management | =8.0.6 | |
Oracle Financial Services Profitability Management | =8.0.7 | |
Oracle Financial Services Profitability Management | =8.1.0 | |
Oracle Financial Services Regulatory Reporting For European Banking Authority | >=8.0.6<=8.1.0 | |
Oracle Financial Services Regulatory Reporting For Us Federal Reserve | >=8.0.6<=8.0.9 | |
Oracle Healthcare Foundation | =7.1.1 | |
Oracle Healthcare Foundation | =7.2.0 | |
Oracle Healthcare Foundation | =7.2.1 | |
Oracle Healthcare Foundation | =7.3.0 | |
Oracle Hospitality Materials Control | =18.1 | |
Oracle Hospitality Simphony | >=19.1.0<=19.1.2 | |
Oracle Hospitality Simphony | =18.1 | |
Oracle Hospitality Simphony | =18.2 | |
Oracle Insurance Accounting Analyzer | =8.0.9 | |
Oracle Insurance Allocation Manager For Enterprise Profitability | =8.0.8 | |
Oracle Insurance Allocation Manager For Enterprise Profitability | =8.1.0 | |
Oracle Insurance Data Foundation | >=8.0.6<=8.1.0 | |
Oracle Insurance Insbridge Rating And Underwriting | >=5.0.0.0<=5.6.0.0 | |
Oracle Insurance Insbridge Rating And Underwriting | =5.6.1.0 | |
Oracle JDeveloper | =11.1.1.9.0 | |
Oracle JDeveloper | =12.2.1.3.0 | |
Oracle JDeveloper | =12.2.1.4.0 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle Policy Automation | >=12.2.0<=12.2.20 | |
Oracle Policy Automation Connector For Siebel | =10.4.6 | |
Oracle Policy Automation For Mobile Devices | >=12.2.0<=12.2.20 | |
Oracle Retail Back Office | =14.0 | |
Oracle Retail Back Office | =14.1 | |
Oracle Retail Customer Management and Segmentation Foundation | =19.0 | |
Oracle Retail Returns Management | =14.0 | |
Oracle Retail Returns Management | =14.1 | |
Oracle Siebel Ui Framework | =20.8 | |
Oracle Storagetek Acsls | =8.5.1 | |
Oracle WebLogic Server | =10.3.6.0.0 | |
Oracle WebLogic Server | =12.1.3.0.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 | |
Netapp Max Data | ||
NetApp OnCommand Insight | ||
NetApp OnCommand System Manager | >=3.0<=3.1.3 | |
NetApp Snap Creator Framework | ||
Netapp Snapcenter | ||
Netapp H300s Firmware | ||
Netapp H300s | ||
Netapp H500s Firmware | ||
Netapp H500s | ||
Netapp H700s Firmware | ||
Netapp H700s | ||
Netapp H300e Firmware | ||
Netapp H300e | ||
Netapp H500e Firmware | ||
Netapp H500e | ||
Netapp H700e Firmware | ||
Netapp H700e | ||
Netapp H410s Firmware | ||
Netapp H410s | ||
Netapp H410c Firmware | ||
Netapp H410c | ||
openSUSE Leap | =15.1 | |
openSUSE Leap | =15.2 | |
Tenable Log Correlation Engine | <6.0.9 | |
Oracle Agile Product Supplier Collaboration For Process | =6.2.0.0 | |
Oracle Banking Digital Experience | >=18.1<=20.1 | |
Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.1.0 | |
Oracle Hospitality Simphony | =19.1.0-19.1.2 | |
Oracle Insurance Data Foundation | =8.0.6-8.1.0 | |
composer/maximebf/debugbar | <1.19.0 | 1.19.0 |
rubygems/jquery-rails | <4.4.0 | 4.4.0 |
maven/org.webjars.npm:jquery | >=1.2.0<3.5.0 | 3.5.0 |
nuget/jquery | >=1.2.0<3.5.0 | 3.5.0 |
npm/jquery | >=1.2.0<3.5.0 | 3.5.0 |
All of | ||
Netapp H300s Firmware | ||
Netapp H300s | ||
All of | ||
Netapp H500s Firmware | ||
Netapp H500s | ||
All of | ||
Netapp H700s Firmware | ||
Netapp H700s | ||
All of | ||
Netapp H300e Firmware | ||
Netapp H300e | ||
All of | ||
Netapp H500e Firmware | ||
Netapp H500e | ||
All of | ||
Netapp H700e Firmware | ||
Netapp H700e | ||
All of | ||
Netapp H410s Firmware | ||
Netapp H410s | ||
All of | ||
Netapp H410c Firmware | ||
Netapp H410c | ||
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)