Bug 2217733 (CVE-2020-23064)

Summary: CVE-2020-23064 jquery: Cross-site scripting
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abobrov, aileenc, alampare, alazarot, amctagga, aoconnor, apevec, asoldano, ataylor, aturgema, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, bniver, boliveir, brian.stansberry, cdewolf, cfu, chazlett, cluster-maint, darran.lofthouse, dhanak, dhughes, dkreling, dosoudil, drichtar, dsirrine, edewata, eglynn, ehelms, elima, emingora, erack, fjuma, flucifre, fmuellner, fzatlouk, gjospin, gmalinko, gmeno, grafana-maint, ibek, idevat, idm-ds-dev-bugs, ivassile, iweiss, janstey, jhorak, jjoyce, jkozol, jkurik, jmagne, jpavlik, jrokos, jross, jschluet, jscotka, jsherril, jstephen, jweng, klember, kverlaen, lbacciot, lgao, lhh, lzap, mbenjamin, mburns, mgarciac, mhackett, mharmsen, mhulan, michal.skrivanek, mlisik, mnovotny, mosmerov, mperina, mpitt, mpospisi, msochure, mstefank, msvehla, myarboro, nathans, nmoumoul, nwallace, omajid, omular, orabin, pcreech, pdelbell, pdrozd, pgrist, pjindal, pmackay, pskopek, python-maint, rchan, release-test-team-automation, rguimara, rhcs-maint, rhos-maint, rkieley, rowaters, rstancel, sbonazzo, scox, sgratch, sipoyare, slinaber, smaestri, sostapov, spoore, sthorger, stransky, tojeline, tom.jenkinson, tpopela, trodgers, tvignaud, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jQuery 3.5.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jQuery, where it is vulnerable to Cross-site scripting, caused by the improper validation of user-supplied input by the <options> element. This flaw allows a remote attacker to use a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-27 11:40:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1882291, 2217735, 2217736, 2217737, 2217738, 2217739, 2217740, 2217741, 2217742, 2217743, 2217744, 2217745, 2217746, 2217747, 2217748, 2217749, 2217750, 2217751, 2217752, 2217753, 2217754, 2217755, 2217756, 2217757, 2217758, 2217759, 2217760, 2217761, 2217762, 2217763, 2219573    
Bug Blocks: 2217774    

Description Avinash Hanwate 2023-06-27 04:14:32 UTC 
Cross Site Scripting vulnerability in jQuery v.2.2.0 thru v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://snyk.io/vuln/SNYK-JS-JQUERY-565129
Comment 4 errata-xmlrpc 2025-05-14 17:51:20 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.0

Via RHSA-2025:7625 https://access.redhat.com/errata/RHSA-2025:7625