jQuery — CVE history (npm)
jQuery
11 CVEs affect the jQuery npm package (highest CVSS 7.5). 1 on CISA's Known Exploited Vulnerabilities catalog. Latest disclosed: 2020-05-19. Full CVE history sourced from NVD.
Summary
- Package
jQuery (npm)- Total CVEs
11- Actively exploited (CISA KEV)
- 1
- Highest CVSS
7.5- Latest disclosed
- 2020-05-19
Recent CVEs (top 11)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2020-7656 | Medium | 6.1 | — | 2020-05-19 | jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. |
CVE-2020-11022 | Medium | 6.9 | — | 2020-04-29 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. |
CVE-2020-11023 | Medium | 6.9 | KEV | 2020-04-29 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. |
CVE-2018-18405 | Medium | 6.1 | — | 2020-04-22 | jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. |
CVE-2019-11358 | Medium | 6.1 | — | 2019-04-20 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. |
CVE-2016-10707 | High | 7.5 | — | 2018-01-18 | jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. |
CVE-2015-9251 | Medium | 6.1 | — | 2018-01-18 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. |
CVE-2012-6708 | Medium | 6.1 | — | 2018-01-18 | jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. |
CVE-2014-6071 | Medium | 6.1 | — | 2018-01-16 | jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. |
CVE-2011-4969 | — | — | — | 2013-03-08 | Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. |
CVE-2007-2379 | — | — | — | 2007-04-30 | The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute… |
All-time worst (top 9 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2016-10707 | High | 7.5 | — | 2018-01-18 | jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. |
CVE-2020-11022 | Medium | 6.9 | — | 2020-04-29 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. |
CVE-2020-11023 | Medium | 6.9 | KEV | 2020-04-29 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. |
CVE-2020-7656 | Medium | 6.1 | — | 2020-05-19 | jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. |
CVE-2018-18405 | Medium | 6.1 | — | 2020-04-22 | jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. |
CVE-2019-11358 | Medium | 6.1 | — | 2019-04-20 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. |
CVE-2015-9251 | Medium | 6.1 | — | 2018-01-18 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. |
CVE-2012-6708 | Medium | 6.1 | — | 2018-01-18 | jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. |
CVE-2014-6071 | Medium | 6.1 | — | 2018-01-16 | jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. |
Actively exploited (CISA KEV — 1)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2020-11023 | Medium | 6.9 | KEV | 2020-04-29 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. |