Search for packages
| purl | pkg:gem/jquery-rails@2.2.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3tdt-b5tc-aaak
Aliases: CVE-2015-9251 GHSA-rmxg-73gg-4p98 |
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. |
Affected by 6 other vulnerabilities. |
|
VCID-54hw-cf5y-aaaj
Aliases: CVE-2020-23064 GHSA-257q-pv89-v3xv |
Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element. |
Affected by 1 other vulnerability. |
|
VCID-bm85-uen1-aaab
Aliases: CVE-2019-5428 GHSA-wv67-q8rr-grjp |
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11358. Reason: This candidate is a duplicate of CVE-2019-11358. Notes: All CVE users should reference CVE-2019-11358 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-fhgh-jkwa-aaah
Aliases: CVE-2020-11023 GHSA-jpcq-cgw6-v4j6 |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
Affected by 1 other vulnerability. |
|
VCID-h2wf-uwfa-aaak
Aliases: CVE-2016-10707 GHSA-mhpp-875w-9cpv |
Denial of Service in jquery |
Affected by 9 other vulnerabilities. |
|
VCID-kkd1-e4k1-aaam
Aliases: CVE-2020-11022 GHSA-gxr4-xjj5-5px2 |
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-tv97-anfg-aaam
Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq |
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. |
Affected by 4 other vulnerabilities. |
|
VCID-zvqa-f2mq-aaaq
Aliases: CVE-2015-1840 GHSA-4whc-pp4x-9pf3 |
Moderate severity vulnerability that affects jquery-rails and jquery-ujs |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7dbv-wt1s-aaak | JQuery allows Cross-site Scripting attacks via the `load` method. The `load` method fails to recognize and remove `<script>` HTML tags that contain a whitespace character such as `</script >`. |
CVE-2020-7656
GHSA-q4m3-2j7h-f7xw |
| VCID-q1qe-zr6p-aaap | jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. |
CVE-2012-6708
GHSA-2pqj-h3vj-pqgw |