Skip to content

Use of insecure jQuery version in OctoberCMS

Moderate severity GitHub Reviewed Published Jun 2, 2020 in octobercms/october • Updated Jan 9, 2023

Package

composer october/october (Composer)

Affected versions

>= 1.0.319, < 1.0.466

Patched versions

1.0.466
composer october/system (Composer)
>= 1.0.319, < 1.0.466
1.0.466

Description

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.

Workarounds

Apply octobercms/october@5c7ba9f to your installation manually if unable to upgrade to Build 466.

References

For more information

If you have any questions or comments about this advisory:

Threat Assessment

Assessed as Moderate by the @jquery team.

Acknowledgements

Thanks to @mrgswift for reporting the issue to the October CMS team.

References

@LukeTowers LukeTowers published to octobercms/october Jun 2, 2020
Reviewed Jun 5, 2020
Published to the GitHub Advisory Database Jun 5, 2020
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-v73w-r9xg-7cr9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.