In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| jquery(npm) | 1.2.0 | 3.5.0 | N/A |
| jquery(NuGet) | 1.2.0 | 3.5.0 | N/A |
| jquery-rails(RubyGems) | 0 | 4.4.0 | N/A |
| org.webjars.npm:jquery(Maven) | 1.2.0 | 3.5.0 | N/A |
| maximebf/debugbar(Packagist) | 0 | 1.19.0 | N/A |
| athlon1600/youtube-downloader(Packagist) | 0 | N/A | N/A |
| components/jquery(Packagist) | 1.2.0 | 3.5.0 | N/A |
CVSS Metrics
