CVE-2020-7656: XSS
First published: Tue May 19 2020(Updated: )
A flaw was found in jquery in versions prior to 1.9.0. A cross-site scripting attack is possible as the load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character which results in the enclosed script logic to be executed. The highest threat from this vulnerability is to data confidentiality and integrity.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/qpid-dispatch | <0:1.13.0-3.el6_10 | 0:1.13.0-3.el6_10 |
| redhat/qpid-dispatch | <0:1.13.0-3.el7 | 0:1.13.0-3.el7 |
| redhat/qpid-dispatch | <0:1.13.0-3.el8 | 0:1.13.0-3.el8 |
| redhat/pcs | <0:0.10.10-4.el8 | 0:0.10.10-4.el8 |
| redhat/jquery | <1.9.0 | 1.9.0 |
| Jquery Jquery Node.js | <1.9.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Cloud Backup | ||
| NetApp OnCommand System Manager | >=3.0.0<=3.1.3 | |
| NetApp Snap Creator Framework | ||
| Juniper JUNOS | =21.2 | |
| IBM Data Risk Manager | <=2.0.6 | |
| maven/org.webjars.npm:jquery | >=1.2.1<1.9.0 | 1.9.0 |
| nuget/jQuery | >=1.2.1<1.9.0 | 1.9.0 |
| npm/jquery | >=1.2.1<1.9.0 | 1.9.0 |
| rubygems/jquery-rails | <2.2.0 | 2.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-7656
- https://snyk.io/vuln/SNYK-JS-JQUERY-569619
- https://security.netapp.com/advisory/ntap-20200528-0001/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013
- https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml
- https://github.com/advisories/GHSA-q4m3-2j7h-f7xw (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-7656 https://nvd.nist.gov/vuln/detail/CVE-2020-7656
- https://bugzilla.redhat.com/show_bug.cgi?id=1850119
- https://access.redhat.com/errata/RHSA-2020:4211
- https://access.redhat.com/errata/RHSA-2021:4142
- https://access.redhat.com/security/cve/cve-2020-7656
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850138
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850136
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850123
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850127
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850134
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850133
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850126
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850139
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850129
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850135
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850121
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850128
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850125
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850137
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850132
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850120
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850131
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1850130
- https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1886340
- https://exchange.xforce.ibmcloud.com/vulnerabilities/182264
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d
- https://github.com/jquery/jquery/commit/606b863edaff29035960e4d813b45d63b8d92876
- https://security.netapp.com/advisory/ntap-20200528-0001
Frequently Asked Questions
What is CVE-2020-7656?
CVE-2020-7656 is a vulnerability in jQuery that allows for Cross-site Scripting attacks via the load method.
How does CVE-2020-7656 affect jQuery?
CVE-2020-7656 affects jQuery versions prior to 1.9.0.
What is the severity of CVE-2020-7656?
The severity of CVE-2020-7656 is medium, with a severity value of 6.1.
How can I fix CVE-2020-7656?
To fix CVE-2020-7656, update jQuery to version 1.9.0 or later.
Where can I find more information about CVE-2020-7656?
You can find more information about CVE-2020-7656 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-7656), [Snyk](https://snyk.io/vuln/SNYK-JS-JQUERY-569619), [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20200528-0001/).
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-7656
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/ibm-support
- source/IBM
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q4m3-2j7h-f7xw
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- package-manager/redhat
- vendor/jquery
- canonical/jquery jquery node.js
- vendor/oracle
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp cloud backup
- canonical/netapp oncommand system manager
- version/netapp oncommand system manager/3.0.0
- version/netapp oncommand system manager/3.1.3
- canonical/netapp snap creator framework
- vendor/juniper
- canonical/juniper junos
- version/juniper junos/21.2
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- package-manager/maven
- package-manager/nuget
- package-manager/npm
- package-manager/rubygems