Search for packages
| purl | pkg:npm/jquery@3.0.0-alpha1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1mp8-dk77-kkfm
Aliases: CVE-2016-10707 GHSA-mhpp-875w-9cpv |
Exceeding Stack Call Limit DoS jQuery is a DOM manipulation javascript library. In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0. Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit. |
Affected by 4 other vulnerabilities. |
|
VCID-3df9-dqv9-r3f7
Aliases: CVE-2020-23064 GHSA-257q-pv89-v3xv |
jQuery Cross Site Scripting vulnerability Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the `<options>` element. |
Affected by 0 other vulnerabilities. |
|
VCID-c88q-zaxs-k3b6
Aliases: GMS-2017-122 |
XSS When text/javascript responses are received from cross-origin ajax requests not containing the option `dataType`, the result is executed in `jQuery.globalEval` potentially allowing an attacker to execute arbitrary code on the origin. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-m8j1-6daq-fyf8
Aliases: CVE-2020-11023 GHSA-jpcq-cgw6-v4j6 |
Potential XSS vulnerability in jQuery ## Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ## Workarounds To workaround this issue without upgrading, use DOMPurify with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. |
Affected by 0 other vulnerabilities. |
|
VCID-neqa-12se-9uab
Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq |
Modification of Assumed-Immutable Data (MAID) Prototype pollution attack through jQuery $.extend |
Affected by 3 other vulnerabilities. |
|
VCID-s96y-q7xd-wqcz
Aliases: CVE-2015-9251 GHSA-rmxg-73gg-4p98 |
Cross-Site Scripting (XSS) in jquery Affected versions of `jquery` interpret `text/javascript` responses from cross-origin ajax requests, and automatically execute the contents in `jQuery.globalEval`, even when the ajax request doesn't contain the `dataType` option. |
Affected by 4 other vulnerabilities. |
|
VCID-uhze-gqqq-4bd2
Aliases: CVE-2020-11022 GHSA-gxr4-xjj5-5px2 |
Potential XSS vulnerability in jQuery ### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue." |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1fe6-qesm-ubfp | Exceeding Stack Call Limit DoS A lowercasing logic is used on the attribute names. Because of this, boolean attributes whose names are not all lowercase cause infinite recursion, and will exceed the stack call limit. |
GMS-2016-33
|