CVE-2020-11023

Cross-site Scripting in packagist/drupal/core

Identifiers

CVE-2020-11023, GHSA-jpcq-cgw6-v4j6

Package Slug

packagist/drupal/core

Vulnerability

Cross-site Scripting

Description

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

Affected Versions

All versions starting from 7.0 before 7.70, all versions starting from 8.7.0 before 8.7.14, all versions starting from 8.8.0 before 8.8.6

Solution

Upgrade to versions 8.0.0, 8.7.14, 8.8.6 or above.

Last Modified

2021-02-19

source