Use of insecure jQuery version in OctoberCMS

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.

Workarounds

Apply https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892 to your installation manually if unable to upgrade to Build 466.

References

https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory:

Email us at octobercms@luketowers.ca & hello@octobercms.com

Threat Assessment

Assessed as Moderate by the @jquery team.

Acknowledgements

Thanks to @mrgswift for reporting the issue to the October CMS team.

Published: Jun 5, 2020
Updated: Apr 14, 2023
GHSA: GHSA-v73w-r9xg-7cr9
Severity: Medium
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
october / october	1.0.319	1.0.466
october / system	1.0.319	1.0.466

Vulnerability Database