N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-v73w-r9xg-7cr9

EPSS Score

CWE

Published

6/5/2020

Updated

1/9/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-v73w-r9xg-7cr9

GHSA-v73w-r9xg-7cr9: Use of insecure jQuery version in OctoberCMS

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.

Workarounds

Apply https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892 to your installation manually if unable to upgrade to Build 466.

References

https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory:

Email us at octobercms@luketowers.ca & hello@octobercms.com

Threat Assessment

Assessed as Moderate by the @jquery team.

Acknowledgements

Thanks to @mrgswift for reporting the issue to the October CMS team.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-v73w-r9xg-7cr9

EPSS Score

CWE

Published

6/5/2020

Updated

1/9/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/october	composer	>= 1.0.319, < 1.0.466	1.0.466
october/system	composer	>= 1.0.319, < 1.0.466	1.0.466

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from using jQuery <3.5.0. The advisory explicitly calls out DOM manipulation methods like html() and append() as vulnerable vectors. OctoberCMS's commit 5c7ba9f patches this by updating jQuery files, confirming the vulnerability resides in these bundled JS files. While no OctoberCMS PHP functions are explicitly listed, the frontend JS dependencies (jQuery methods) are the attack surface. The high confidence comes from: 1) Direct reference to jQuery's CVE-2020-11022 in the advisory, 2) Patch clearly updating jQuery files, and 3) Vulnerability mechanism being well-documented in jQuery's own security guidance.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*ssin* *TML *rom untrust** sour**s - *v*n **t*r s*nitizin* it - to on* o* jQu*ry's *OM m*nipul*tion m*t*o*s (i.*. .*tml(), .*pp*n*(), *n* ot**rs) m*y *x**ut* untrust** *o**. ### P*t***s Issu* **s ***n p*t**** in *uil* *** (v*.*.***) *y *

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom usin* `jQu*ry` <*.*.*. T** **visory *xpli*itly **lls out *OM m*nipul*tion m*t*o*s lik* `*tml()` *n* `*pp*n*()` *s vuln*r**l* v**tors. O*to**r*MS's *ommit ******* p*t***s t*is *y up**tin* `jQu*ry` *il*s, *on*irmin

N/A

Basic Information

Concerned about an active attack path?

GHSA-v73w-r9xg-7cr9: Use of insecure jQuery version in OctoberCMS

Impact

Patches

Workarounds

References

For more information

Threat Assessment

Acknowledgements

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI