CIVI-SA-2020-16: JQuery Security Update for CVE-2020-11022, CVE-2020-11023

Published
2020-08-19 09:00
Written by

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."

Those advisories are:

These vulnerabilities may be exploitable on some CiviCRM sites. This security release includes a backport to fix the specific issues -- without making any other changes to the jQuery version.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Rich Lott of Artfulrobot for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue

References

security/core#93
CVE-2020-11022
CVE-2020-11023