This repository has been archived by the owner on Jan 9, 2023. It is now read-only.
Upgrade jquery to >= 3.5.0 for CVE-2020-11022 and CVE-2020-11023 #1949
Comments
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
GEE currently is running jquery 1.8.3 (portable globe code) and jquery 3.2.1 (geedocs code) both of which contain potentially serious vulnerabilities:
"In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. "
CVE records:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Alternatively, if the huge jump in major version is too involved, upgrade 1.8.3 to 1.12.4 and apply the code patches found here:
https://github.com/DanielRuf/snyk-js-jquery-565129
The text was updated successfully, but these errors were encountered: