By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2020-7656

Cross-Site Scripting

Affects

jQuery

<1.9.0

jQuery

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Steps to Reproduce

The jQuery $.load() command provides a simple way to load content from other servers and insert it into the current web page. By design, as part of its sanitization process, it is supposed to remove “<script>” tags to ensure that malicious code cannot be inserted into the page and executed.

The vulnerability fails to recognize and remove “<script>” tags that contain a whitespace character, which can result in Cross-site Scripting attacks by including malicious code in the included script.

Addressing the Issue

Clients using jQuery prior to 1.9.1 should upgrade immediately to this version, which contains the fix. Alternatively, clients who need to still remain on 1.6 may leverage HeroDevs Never Ending Support which provides versions of jQuery with this and other CVEs remediated.

Learning and Prevention

Typically, jQuery employs multiple methods to sanitize data. In this case, the actual sanitization method had a vulnerability in it. In these cases, the best business practice is to stay abreast of security updates so that your servers are vulnerable for the least amount of time once the exploit has been published publicly.

Conclusion

HeroDevs jQuery Never-Ending Support can make your team’s life easier and more convenient by ensuring that it has the latest, secure code for all your important dependencies. Contact HeroDevs today to sign up for our comprehensive support service.