First published: Wed Apr 29 2020(Updated: )
### Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/jquery | 3.3.1~dfsg-3+deb10u1 | |
debian/node-jquery | <=2.2.4+dfsg-4 | 3.5.1+dfsg+~3.5.5-7 3.6.1+dfsg+~3.5.14-1 |
debian/otrs2 | <=6.0.16-2 | 6.0.16-2+deb10u1 6.0.32-6 |
redhat/qpid-dispatch | <0:1.13.0-3.el6_10 | 0:1.13.0-3.el6_10 |
redhat/qpid-dispatch | <0:1.13.0-3.el7 | 0:1.13.0-3.el7 |
redhat/qpid-dispatch | <0:1.13.0-3.el8 | 0:1.13.0-3.el8 |
redhat/kiali | <0:v1.12.10.redhat2-1.el7 | 0:v1.12.10.redhat2-1.el7 |
redhat/ior | <0:1.1.6-1.el8 | 0:1.1.6-1.el8 |
redhat/servicemesh | <0:1.1.6-1.el8 | 0:1.1.6-1.el8 |
redhat/servicemesh-cni | <0:1.1.6-1.el8 | 0:1.1.6-1.el8 |
redhat/servicemesh-grafana | <0:6.4.3-13.el8 | 0:6.4.3-13.el8 |
redhat/servicemesh-operator | <0:1.1.6-2.el8 | 0:1.1.6-2.el8 |
redhat/servicemesh-prometheus | <0:2.14.0-14.el8 | 0:2.14.0-14.el8 |
redhat/ipa | <0:4.6.8-5.el7_9.4 | 0:4.6.8-5.el7_9.4 |
redhat/pcs | <0:0.9.169-3.el7_9.3 | 0:0.9.169-3.el7_9.3 |
redhat/pcs | <0:0.10.10-4.el8 | 0:0.10.10-4.el8 |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el8ea | 0:3.3.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el9ea | 0:3.3.16-1.Final_redhat_00001.1.el9ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el7ea | 0:3.3.16-1.Final_redhat_00001.1.el7ea |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
redhat/ovirt-engine-ui-extensions | <0:1.2.2-1.el8e | 0:1.2.2-1.el8e |
redhat/ovirt-web-ui | <0:1.6.4-1.el8e | 0:1.6.4-1.el8e |
redhat/jQuery | <3.5.0 | 3.5.0 |
Jquery Jquery | >=1.0.3<3.5.0 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Drupal Drupal | >=7.0<7.70 | |
Drupal Drupal | >=8.7.0<8.7.14 | |
Drupal Drupal | >=8.8.0<8.8.6 | |
Oracle Application Express | <20.2 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Banking Enterprise Collections | >=2.7.0<=2.8.0 | |
Oracle Banking Platform | >=2.4.0<=2.10.0 | |
Oracle Business Intelligence | =5.9.0.0.0 | |
Oracle Communications Analytics | =12.1.1 | |
Oracle Communications EAGLE Application Processor | >=16.1.0<=16.4.0 | |
Oracle Communications Element Manager | =8.1.1 | |
Oracle Communications Element Manager | =8.2.0 | |
Oracle Communications Element Manager | =8.2.1 | |
Oracle Communications Interactive Session Recorder | >=6.1<=6.4 | |
Oracle Communications Operations Monitor | >=4.1<=4.3 | |
Oracle Communications Operations Monitor | =3.4 | |
Oracle Communications Services Gatekeeper | =7.0 | |
Oracle Communications Session Report Manager | =8.1.1 | |
Oracle Communications Session Report Manager | =8.2.0 | |
Oracle Communications Session Report Manager | =8.2.1 | |
Oracle Communications Session Route Manager | =8.1.1 | |
Oracle Communications Session Route Manager | =8.2.0 | |
Oracle Communications Session Route Manager | =8.2.1 | |
Oracle Financial Services Regulatory Reporting For De Nederlandsche Bank | =8.0.4 | |
Oracle Financial Services Revenue Management And Billing Analytics | =2.7 | |
Oracle Financial Services Revenue Management And Billing Analytics | =2.8 | |
Oracle Health Sciences InForm | =6.3.0 | |
Oracle Healthcare Translational Research | =3.2.1 | |
Oracle Healthcare Translational Research | =3.3.1 | |
Oracle Healthcare Translational Research | =3.3.2 | |
Oracle Healthcare Translational Research | =3.4.0 | |
Oracle Hyperion Financial Reporting | =11.1.2.4 | |
Oracle Jd Edwards Enterpriseone Orchestrator | <9.2.5.0 | |
Oracle Jd Edwards Enterpriseone Tools | <9.2.5.0 | |
Oracle OSS Support Tools | <2.12.41 | |
Oracle Peoplesoft Enterprise Human Capital Management Resources | =9.2 | |
Oracle Primavera Gateway | >=16.2<=16.2.11 | |
Oracle Primavera Gateway | >=17.12.0<=17.12.7 | |
Oracle Primavera Gateway | >=18.8.0<=18.8.9 | |
Oracle Primavera Gateway | >=19.12.0<=19.12.4 | |
Oracle REST Data Services | =11.2.0.4 | |
Oracle REST Data Services | =12.1.0.2 | |
Oracle REST Data Services | =12.2.0.1 | |
Oracle REST Data Services | =18c | |
Oracle REST Data Services | =19c | |
Oracle Siebel Mobile | <=20.12 | |
Oracle Storagetek Acsls | =8.5.1 | |
Oracle Storagetek Tape Analytics Sw Tool | =2.3.1 | |
Oracle WebCenter Sites | =12.2.1.3.0 | |
Oracle WebCenter Sites | =12.2.1.4.0 | |
Oracle WebLogic Server | =12.1.3.0.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 | |
Netapp H300s Firmware | ||
Netapp H300s | ||
Netapp H500s Firmware | ||
Netapp H500s | ||
Netapp H700s Firmware | ||
Netapp H700s | ||
Netapp H300e Firmware | ||
Netapp H300e | ||
Netapp H500e Firmware | ||
Netapp H500e | ||
Netapp H700e Firmware | ||
Netapp H700e | ||
Netapp H410s Firmware | ||
Netapp H410s | ||
Netapp H410c Firmware | ||
Netapp H410c | ||
Netapp Max Data | ||
NetApp OnCommand Insight | ||
NetApp OnCommand System Manager | >=3.0<=3.1.3 | |
NetApp Snap Creator Framework | ||
NetApp SnapCenter Server | ||
Tenable Log Correlation Engine | <6.0.9 | |
npm/jquery | >=1.0.3<3.5.0 | 3.5.0 |
maven/org.webjars.npm:jquery | >=1.0.3<3.5.0 | 3.5.0 |
nuget/jQuery | >=1.0.3<3.5.0 | 3.5.0 |
rubygems/jquery-rails | <4.4.0 | 4.4.0 |
All of | ||
Netapp H300s Firmware | ||
Netapp H300s | ||
All of | ||
Netapp H500s Firmware | ||
Netapp H500s | ||
All of | ||
Netapp H700s Firmware | ||
Netapp H700s | ||
All of | ||
Netapp H300e Firmware | ||
Netapp H300e | ||
All of | ||
Netapp H500e Firmware | ||
Netapp H500e | ||
All of | ||
Netapp H700e Firmware | ||
Netapp H700e | ||
All of | ||
Netapp H410s Firmware | ||
Netapp H410s | ||
All of | ||
Netapp H410c Firmware | ||
Netapp H410c | ||
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)