Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.
Apply https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892 to your installation manually if unable to upgrade to Build 466.
If you have any questions or comments about this advisory:
Assessed as Moderate by the @jquery team.
Thanks to @mrgswift for reporting the issue to the October CMS team.
CPE | Name | Operator | Version |
---|---|---|---|
october/system | lt | 1.0.466 | |
october/october | lt | 1.0.466 |