GHSA-gxr4-xjj5-5px2

Source

https://github.com/advisories/GHSA-gxr4-xjj5-5px2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-gxr4-xjj5-5px2

Aliases

Published

2020-04-29T22:18:55Z

Modified

2026-05-15T12:14:13.642045143Z

Severity

6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Potential XSS vulnerability in jQuery

Details

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
    return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-29T22:18:37Z",
    "nvd_published_at": "2020-04-29T22:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Maven

org.webjars.npm:jquery

Package

Name: org.webjars.npm:jquery; View open source insights on deps.dev
Purl: pkg:maven/org.webjars.npm/jquery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

3.5.0

Affected versions

1.*

1.12.1

1.12.2

1.12.3

1.12.4

2.*

2.1.0

2.1.1-rc1

2.1.1-rc2

2.1.1

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

3.*

3.0.0-alpha1

3.0.0-beta1

3.0.0-rc1

3.0.0

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.3.1

3.4.0

3.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"

npm

jquery

Package

Name: jquery; View open source insights on deps.dev
Purl: pkg:npm/jquery

Affected ranges

Type: SEMVER
Events: Introduced

1.12.0

Fixed

3.5.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"

NuGet

jquery

Package

Name: jquery; View open source insights on deps.dev
Purl: pkg:nuget/jquery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

3.5.0

Affected versions

1.*

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

2.*

2.0.0

2.0.1

2.0.1.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

3.*

3.0.0

3.0.0.1

3.1.0

3.1.1

3.2.1

3.3.1

3.4.0

3.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"

Packagist

maximebf/debugbar

Package

Name: maximebf/debugbar
Purl: pkg:composer/maximebf/debugbar

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.0

Affected versions

1.*

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1

1.2

1.3

1.4

1.5

1.5.1

1.6

1.6.1

1.7

1.7.1

1.8

1.9

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.10.0

1.10.1

1.13.1

v1.*

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.11.0

v1.11.1

v1.12.0

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.15.1

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.16.4

v1.16.5

v1.17.0

v1.17.1

v1.17.2

v1.17.3

v1.18.0

v1.18.1

v1.18.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"

athlon1600/youtube-downloader

Package

Name: athlon1600/youtube-downloader
Purl: pkg:composer/athlon1600/youtube-downloader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.0.0

Affected versions

v1.*

v1.0.0

v1.0.1

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.1

v2.1.2

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.1.2

v4.*

v4.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"

components/jquery

Package

Name: components/jquery
Purl: pkg:composer/components/jquery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

3.5.0

Affected versions

1.*

1.12.0

1.12.1

1.12.4

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.3

2.1.4

2.2.0

2.2.1

2.2.4

3.*

3.0.0

3.1.0

3.1.1

3.2.0

3.2.1

3.3.1

3.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"

RubyGems

jquery-rails

Package

Name: jquery-rails
Purl: pkg:gem/jquery-rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.4.0

Affected versions

0.*

0.1.1

0.1.2

0.1.3

0.2

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

1.*

1.0.rc

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

2.*

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

4.*

4.0.0.beta1

4.0.0.beta2

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json"