the version of jquery packaged in the werkzeug debugger has a security exposure #1891
Comments
|
Please see previous discussions about jQuery before reporting new issues. jQuery is only used by the debugger in the development server, which is already a huge hole if you're running it anywhere where the ability to craft an XSS for it would matter. These CVEs are not relevant for the way jQuery is used by Werkzeug. Your security tools should be able to account for that so that you can ignore irrelevant results. That said, we have already removed jQuery completely for 2.0: #1807. And before we did that, we had already upgraded it to 3.5.1: #1806. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
According to our security scanning tool, the packaged version of jquery inside Werkzeug has a security exposure
When I run a security exposure scan on the werkzeug library I get this jquery issue:
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-11022
s/werkzeug/debug/shared/jquery.js
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Environment:
1.0.1
The text was updated successfully, but these errors were encountered: