By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-7656

Cross-Site Scripting
Affects
jQuery
in
jQuery
No items found.
Versions
<1.9.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Steps to Reproduce

The jQuery $.load() command provides a simple way to load HTML content from the server and insert it into the current web page. By design, it is supposed to remove <script> tags, when called with a selector.

Due to vulnerability CVE-2020-7656, it fails to recognize and remove <script> tags that contain a whitespace character, which can result in Cross-Site Scripting (XSS) attacks by including malicious code in the included script.

Addressing the Issue

Clients using jQuery prior to v1.9.1 should upgrade immediately to this version, which contains the fix. Alternatively, clients who need to still remain on 1.6 may leverage HeroDevs Never-Ending Support which provides versions of jQuery with this and other CVEs remediated.

Learning and Prevention

Typically, jQuery $.load() can guard against the execution of <script> tags when loading a page fragment. In this case, the method's logic had a flaw that lead to a vulnerability. In these cases, the best business practice is to stay abreast of security updates so that your servers are vulnerable for the least amount of time once the exploit has been published publicly.

Conclusion

HeroDevs jQuery Never-Ending Support can make your team’s life easier and more convenient by ensuring that it has the latest, secure code for all your important dependencies. Contact HeroDevs today to sign up for our comprehensive support service.

Resources

NIST CVE-2020-7656 entry

Pink arrow
Pink arrow
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
CVE-2020-7656
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-7656
PROJECT Affected
jQuery
Versions Affected
<1.9.0
Published date
May 19, 2020
≈ Fix date
February 1, 2023
Fixed in
jQuery NES
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
jQuery NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.