Description
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Remediation
References
Related Vulnerabilities
WordPress Plugin EmbedStories-Display social media stories Cross-Site Scripting (0.7.4)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-4407)
WordPress Plugin EU Cookie Law for GDPR/CCPA Cross-Site Scripting (3.1.6)
Apache Tomcat Resource Management Errors Vulnerability (CVE-2014-0230)
WildFly Application Server Uncontrolled Resource Consumption Vulnerability (CVE-2016-9589)