jQuery jQuery JavaScript Frameworks

stack.watch can notify you when security vulnerabilities are reported in any jQuery product. You can add multiple products that you use with jQuery to create your own personal software stack watcher.

Products by jQuery Sorted by Most Security Vulnerabilities since 2018

jQuery5 vulnerabilities
JavaScript Framework

Jquery Ui1 vulnerability

@jquery Tweets

jQuery 3.5.1 is out! A small release for a regression in 3.5.0. https://t.co/o5k81ZvK37
Mon May 04 23:01:30 +0000 2020

jQuery 3.5.0 has been released! This update includes a security fix and even a couple new features. https://t.co/QimHZOxFCO
Fri Apr 10 16:36:22 +0000 2020

RT @openjsf: Miss the AMA with @jquery? Catch the replay here! Big thanks to @jorydotcom, @davemethvin and @timmywil for a great, informati…
Thu Feb 06 22:38:00 +0000 2020

RT @timmywil: Ask me a question about jQuery! https://t.co/EYxmeNJvSW
Wed Feb 05 14:56:37 +0000 2020

RT @openjsf: We are getting started in 15 minutes with the @jquery AMA! Get the link to join and submit your questions here! https://t.co/e…
Wed Feb 05 14:47:15 +0000 2020

By the Year

In 2020 there have been 3 vulnerabilities in jQuery with an average score of 6.1 out of ten. Last year jQuery had 1 security vulnerability published. That is, 2 more vulnerabilities have already been reported in 2020 as compared to last year. Interestingly, the average vulnerability score and the number of vulnerabilities for 2020 and last year was the same.

Year Vulnerabilities Average Score
2020 3 6.10
2019 1 6.10
2018 1 6.10

It may take a day or so for new jQuery vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest jQuery Security Vulnerabilities

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML

CVE-2020-11022 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11022 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements

CVE-2020-11023 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element

CVE-2018-18405 6.1 - Medium - April 22, 2020

** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry.

CVE-2018-18405 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {},

CVE-2019-11358 6.1 - Medium - April 20, 2019

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2019-11358 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option

CVE-2015-9251 6.1 - Medium - January 18, 2018

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2015-9251 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might

CVE-2016-7103 6.1 - Medium - March 15, 2017

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

CVE-2016-7103 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8