jquery.3.4.1.nupkg: 3 vulnerabilities (highest severity is: 6.1)
mend-bolt-for-github opened this issue · 0 comments
Vulnerable Library - jquery.3.4.1.nupkg
jQuery is a new kind of JavaScript Library.
Library home page: https://api.nuget.org/packages/jquery.3.4.1.nupkg
Path to dependency file: /BookMaintainBackStage.csproj
Path to vulnerable library: /BookMaintainBackStage.csproj,/packages/jQuery.3.4.1/jQuery.3.4.1.nupkg
Found in HEAD commit: d2e2128c41346d441697d714b590377982de861b
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery.3.4.1.nupkg version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | jquery.3.4.1.nupkg | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2020-11022 | Medium | 6.1 | jquery.3.4.1.nupkg | Direct | jQuery - 3.5.0 | ❌ |
CVE-2020-23064 | Medium | 6.1 | jquery.3.4.1.nupkg | Direct | jquery - 3.5.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-11023
Vulnerable Library - jquery.3.4.1.nupkg
jQuery is a new kind of JavaScript Library.
Library home page: https://api.nuget.org/packages/jquery.3.4.1.nupkg
Path to dependency file: /BookMaintainBackStage.csproj
Path to vulnerable library: /BookMaintainBackStage.csproj,/packages/jQuery.3.4.1/jQuery.3.4.1.nupkg
Dependency Hierarchy:
- ❌ jquery.3.4.1.nupkg (Vulnerable Library)
Found in HEAD commit: d2e2128c41346d441697d714b590377982de861b
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-11022
Vulnerable Library - jquery.3.4.1.nupkg
jQuery is a new kind of JavaScript Library.
Library home page: https://api.nuget.org/packages/jquery.3.4.1.nupkg
Path to dependency file: /BookMaintainBackStage.csproj
Path to vulnerable library: /BookMaintainBackStage.csproj,/packages/jQuery.3.4.1/jQuery.3.4.1.nupkg
Dependency Hierarchy:
- ❌ jquery.3.4.1.nupkg (Vulnerable Library)
Found in HEAD commit: d2e2128c41346d441697d714b590377982de861b
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2020-23064
Vulnerable Library - jquery.3.4.1.nupkg
jQuery is a new kind of JavaScript Library.
Library home page: https://api.nuget.org/packages/jquery.3.4.1.nupkg
Path to dependency file: /BookMaintainBackStage.csproj
Path to vulnerable library: /BookMaintainBackStage.csproj,/packages/jQuery.3.4.1/jQuery.3.4.1.nupkg
Dependency Hierarchy:
- ❌ jquery.3.4.1.nupkg (Vulnerable Library)
Found in HEAD commit: d2e2128c41346d441697d714b590377982de861b
Found in base branch: main
Vulnerability Details
Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.
Publish Date: 2023-06-26
URL: CVE-2020-23064
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2023-06-26
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with Mend here