[20200604] - Core - XSS in jQuery.htmlPrefilter

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity:Moderate
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-April-10
  • Fixed Date: 2020-June-02
  • CVE Number:CVE-2020-11022 and CVE-2020-11023

Description

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all

prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others."

The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST