jquery-2.2.4.tgz: 4 vulnerabilities (highest severity is: 6.1) #8
Description
Vulnerable Library - jquery-2.2.4.tgz
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jquery/package.json
Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd
Mend has checked all newer package trees, and you are on the least vulnerable package!
Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the section “Details” below.
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (jquery version) | Fix PR available |
|---|---|---|---|---|---|---|
| CVE-2020-11023 |  Medium |
6.1 | jquery-2.2.4.tgz | Direct | N/A | ❌ |
| CVE-2020-11022 | Medium |
6.1 | jquery-2.2.4.tgz | Direct | N/A | ❌ |
| CVE-2015-9251 | Medium |
6.1 | jquery-2.2.4.tgz | Direct | N/A | ❌ |
| CVE-2019-11358 | Medium |
6.1 | jquery-2.2.4.tgz | Direct | N/A | ❌ |
Details
CVE-2020-11023
Vulnerable Library - jquery-2.2.4.tgz
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jquery/package.json
Dependency Hierarchy:
- ❌ jquery-2.2.4.tgz (Vulnerable Library)
Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-11022
Vulnerable Library - jquery-2.2.4.tgz
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jquery/package.json
Dependency Hierarchy:
- ❌ jquery-2.2.4.tgz (Vulnerable Library)
Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
In order to enable automatic remediation, please create workflow rules
CVE-2015-9251
Vulnerable Library - jquery-2.2.4.tgz
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jquery/package.json
Dependency Hierarchy:
- ❌ jquery-2.2.4.tgz (Vulnerable Library)
Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2019-11358
Vulnerable Library - jquery-2.2.4.tgz
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jquery/package.json
Dependency Hierarchy:
- ❌ jquery-2.2.4.tgz (Vulnerable Library)
Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd
Found in base branch: main
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
In order to enable automatic remediation, please create workflow rules