ADVISORIES

• CVE-2020-7656 (NVD)
• GHSA-q4m3-2j7h-f7xw
• Vendor Advisory

GEM

jquery-rails

SEVERITY

CVSS v3.x: 6.1 (Medium)

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

• >= 2.1.4

DESCRIPTION

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim’s browser.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2020-7656
• https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013
• https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481
• https://github.com/advisories/GHSA-q4m3-2j7h-f7xw