GHSA-HGWM-PV9H-Q5M7

Vulnerability from github – Published: 2020-09-18 18:03 – Updated: 2021-10-04 21:19
VLAI?
Summary
Potential XSS in jQuery dependency in Mirador
Details

Impact

Mirador users less than v3.0.0 (alpha-rc) versions that have an unpatched jQuery. When adopters update jQuery they will find some of Mirador functionality to be broken.

Patches

Mirador adopters should update to v3.0.0, no updates exist for v2.x releases.

Workarounds

Yes, Mirador users could fork and create their own custom build of Mirador and make the bug fixes themselves.

References

https://github.com/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mirador"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0-alpha.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-17T21:56:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nMirador users less than v3.0.0 (alpha-rc) versions that have an unpatched jQuery. When adopters update jQuery they will find some of Mirador functionality to be broken.\n\n### Patches\nMirador adopters should update to v3.0.0, no updates exist for v2.x releases.\n\n### Workarounds\nYes, Mirador users could fork and create their own custom build of Mirador and make the bug fixes themselves.\n\n### References\nhttps://github.com/advisories/GHSA-gxr4-xjj5-5px2\nhttps://github.com/advisories/GHSA-jpcq-cgw6-v4j6\n\n\nhttps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\nhttps://jquery.com/upgrade-guide/3.5/",
  "id": "GHSA-hgwm-pv9h-q5m7",
  "modified": "2021-10-04T21:19:55Z",
  "published": "2020-09-18T18:03:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ProjectMirador/mirador/security/advisories/GHSA-hgwm-pv9h-q5m7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ProjectMirador/mirador"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Potential XSS in jQuery dependency in Mirador"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.