logo

Database

Reflected cross-site scripting (XSS) In jquery-rails

Description

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). load() fails to recognize and remove script HTML tags that contain a whitespace character, i.e: which results in the enclosed script logic to be executed. This can lead to Cross-site Scripting attacks when an attacker has control of the enclosed script.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 16

10

Aliases

1. CVE-2020-76562. NVD-2020-76563. OSV-2020-76564. GHSA-q4m3-2j7h-f7xw5. GCVE-2020-76566. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml7. DB-CVE-2020-7656

References

1. https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d2. https://github.com/jquery/jquery/commit/606b863edaff29035960e4d813b45d63b8d928763. https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L2034. https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-20135. https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L74816. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml7. https://security.netapp.com/advisory/ntap-20200528-00018. https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US9. https://www.oracle.com/security-alerts/cpujul2022.html10. https://github.com/jquery/jquery

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.