Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Patches
Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.
Workarounds
Apply 5c7ba9f to your installation manually if unable to upgrade to Build 466.
References
For more information
If you have any questions or comments about this advisory:
Threat Assessment
Assessed as Moderate by the @jquery team.
Acknowledgements
Thanks to @mrgswift for reporting the issue to the October CMS team.
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Patches
Issue has been patched in Build 466 (v1.0.466) by applying the recommended patch from @jquery.
Workarounds
Apply 5c7ba9f to your installation manually if unable to upgrade to Build 466.
References
For more information
If you have any questions or comments about this advisory:
Threat Assessment
Assessed as Moderate by the @jquery team.
Acknowledgements
Thanks to @mrgswift for reporting the issue to the October CMS team.