This repository was archived by the owner on Jan 9, 2023. It is now read-only.
This repository was archived by the owner on Jan 9, 2023. It is now read-only.
Upgrade jquery to >= 3.5.0 for CVE-2020-11022 and CVE-2020-11023 #1949
Description
GEE currently is running jquery 1.8.3 (portable globe code) and jquery 3.2.1 (geedocs code) both of which contain potentially serious vulnerabilities:
"In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. "
CVE records:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Alternatively, if the huge jump in major version is too involved, upgrade 1.8.3 to 1.12.4 and apply the code patches found here:
https://github.com/DanielRuf/snyk-js-jquery-565129