jQuery — CVE history (npm)

jQuery

11 CVEs affect the jQuery npm package (highest CVSS 7.5). 1 on CISA's Known Exploited Vulnerabilities catalog. Latest disclosed: 2020-05-19. Full CVE history sourced from NVD.

Summary

Package
jQuery (npm)
Total CVEs
11
Actively exploited (CISA KEV)
1
Highest CVSS
7.5
Latest disclosed
2020-05-19

Recent CVEs (top 11)

CVESeverityCVSSKEVPublishedSummary
CVE-2020-7656Medium6.12020-05-19jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method.
CVE-2020-11022Medium6.92020-04-29In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
CVE-2020-11023Medium6.9KEV2020-04-29In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
CVE-2018-18405Medium6.12020-04-22jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element.
CVE-2019-11358Medium6.12019-04-20jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution.
CVE-2016-10707High7.52018-01-18jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names.
CVE-2015-9251Medium6.12018-01-18jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVE-2012-6708Medium6.12018-01-18jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks.
CVE-2014-6071Medium6.12018-01-16jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.
CVE-2011-49692013-03-08Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
CVE-2007-23792007-04-30The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute…

All-time worst (top 9 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2016-10707High7.52018-01-18jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names.
CVE-2020-11022Medium6.92020-04-29In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
CVE-2020-11023Medium6.9KEV2020-04-29In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
CVE-2020-7656Medium6.12020-05-19jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method.
CVE-2018-18405Medium6.12020-04-22jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element.
CVE-2019-11358Medium6.12019-04-20jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution.
CVE-2015-9251Medium6.12018-01-18jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVE-2012-6708Medium6.12018-01-18jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks.
CVE-2014-6071Medium6.12018-01-16jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

Actively exploited (CISA KEV — 1)

CVESeverityCVSSKEVPublishedSummary
CVE-2020-11023Medium6.9KEV2020-04-29In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.