jQuery jQuery JavaScript Frameworks

Do you want an email whenever new security vulnerabilities are reported in any jQuery product?

Products by jQuery Sorted by Most Security Vulnerabilities since 2018

jQuery7 vulnerabilities
JavaScript Framework

Jquery Ui1 vulnerability

@jquery Tweets

RT @jqueryui: �� it's official - jQuery UI 1.13.0 is out! https://t.co/fXiWr5xbeO Check out our post about project status and plans moving…
Thu Oct 07 16:16:27 +0000 2021

After a long break, jQuery UI returns with a Release Candidate for a 1.13 release: https://t.co/dnPdBq9hUU It's a g… https://t.co/tmBGnF4Ub6
Wed Sep 15 20:33:37 +0000 2021

Register today for #OpenJSWorld, happening on June 2! This is a free, virtual event hosted by the @openjsf featurin… https://t.co/iFvKWpOIvU
Mon May 03 21:16:16 +0000 2021

jQuery 3.6.0 has been released! Some bug fixes and a feature for JSONP error handling. https://t.co/ZUYnvrbmHc
Tue Mar 02 17:57:45 +0000 2021

OpenJS World 2021 is happening in June! Register now or submit a talk proposal. #OpenJSWorld21 https://t.co/LQlEJ4xMpL
Mon Feb 01 17:20:56 +0000 2021

By the Year

In 2021 there have been 0 vulnerabilities in jQuery . Last year jQuery had 3 security vulnerabilities published. Right now, jQuery is on track to have less security vulnerabilities in 2021 than it did last year.

Year Vulnerabilities Average Score
2021 0 0.00
2020 3 6.10
2019 1 6.10
2018 2 6.10

It may take a day or so for new jQuery vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent jQuery Security Vulnerabilities

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML

CVE-2020-11022 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

XSS

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements

CVE-2020-11023 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

XSS

** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element

CVE-2018-18405 6.1 - Medium - April 22, 2020

** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry.

XSS

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {},

CVE-2019-11358 6.1 - Medium - April 20, 2019

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

XSS

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks

CVE-2012-6708 6.1 - Medium - January 18, 2018

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

XSS

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option

CVE-2015-9251 6.1 - Medium - January 18, 2018

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

XSS

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might

CVE-2016-7103 6.1 - Medium - March 15, 2017

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

XSS

The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page

CVE-2007-2379 - April 30, 2007

The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

Information Disclosure

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.