CIVI-SA-2020-16: JQuery Security Update for CVE-2020-11022, CVE-2020-11023

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."

Those advisories are:

These vulnerabilities may be exploitable on some CiviCRM sites. This security release includes a backport to fix the specific issues -- without making any other changes to the jQuery version.

Security Risk

Moderately Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date

2020-08-19 - 12:00

Solutions

Upgrade to the latest version of CiviCRM

Credits

Rich Lott of Artfulrobot for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue

References

security/core#93
CVE-2020-11022
CVE-2020-11023

CIVI-SA-2020-16: JQuery Security Update for CVE-2020-11022, CVE-2020-11023

TRAVAILLEZ AVEC DES EXPERTS DE CONFIANCE

Langues