Candidate: CVE-2020-7656
PublicDate: 2020-05-19 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7656
 https://snyk.io/vuln/SNYK-JS-JQUERY-569619
Description:
 jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load
 method. The load method fails to recognize and remove "<script>" HTML tags
 that contain a whitespace character, i.e: "</script >", which results in
 the enclosed script logic to be executed.
Ubuntu-Description:
Notes:
 mdeslaur> This is likely an intrusive, backwards-incompatible change that
 mdeslaur> may break existing software. We will not be fixing this issue
 mdeslaur> in stable Ubuntu releases.
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_jquery:
 upstream: https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a
upstream_jquery: released (1.9.0)
precise/esm_jquery: ignored
trusty_jquery: ignored (out of standard support)
trusty/esm_jquery: ignored
xenial_jquery: ignored
esm-infra/xenial_jquery: ignored
bionic_jquery: not-affected (3.2.1-1)
eoan_jquery: ignored (reached end-of-life)
focal_jquery: not-affected (3.3.1~dfsg-3)
devel_jquery: not-affected (3.3.1~dfsg-3)