Skip to content

Potential XSS vulnerability when passing untrusted input to jQuery HTML manipulation methods

Moderate
LukeTowers published GHSA-v73w-r9xg-7cr9 Jun 2, 2020

Package

composer october/system (Composer)

Affected versions

>= 1.0.319, < 1.0.466

Patched versions

1.0.466

Description

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.

Workarounds

Apply 5c7ba9f to your installation manually if unable to upgrade to Build 466.

References

For more information

If you have any questions or comments about this advisory:

Threat Assessment

Assessed as Moderate by the @jquery team.

Acknowledgements

Thanks to @mrgswift for reporting the issue to the October CMS team.

Severity

Moderate

CVE ID

CVE-2020-11022

Weaknesses

No CWEs

Credits