If your application was written in 2014, you likely use jQuery for:
Every day jQuery v2.1.3 remains in production, your users are one crafted comment or phishing link away from complete compromise. Update today.
It is crucial to note that The jQuery team has since released patches in higher sub-versions (2.1.4, 2.2.x, and the 3.x branches). Because 2.1.3 is a client-side library, these vulnerabilities are exploitable by any malicious user who can inject scripts into your application or trick a user into clicking a crafted link. jquery v2.1.3 vulnerabilities
Though v2.1.3 was released years before these vulnerabilities were officially discovered, it is affected by several significant security issues: Prototype Pollution (CVE-2019-11358):
This vulnerability is particularly insidious because it exploits the trust the library places in the server's response headers. If your application was written in 2014, you
Medium to High Status: Fixed in jQuery 3.5.0 (2.1.3 is vulnerable)
Do not run npm update jquery blindly. First, move to (the latest stable 3.x versions). Because 2
All versions of jQuery before 3.4.0 are susceptible to .
// In jQuery v2.1.3, this pollutes Object.prototype var malicious = JSON.parse('{"__proto__": {"isAdmin": true}}'); $.extend(true, {}, malicious);
Prototype pollution is a subtle but devastating vulnerability. It allows an attacker to modify JavaScript’s core object prototype ( Object.prototype ). jQuery v2.1.3 uses a recursive $.extend() method. If an attacker controls the source object passed to this method, they can inject properties into the global object chain.