ZK framework includes a customized jQuery library. Replacing that bundled jQuery in ZK to solve its security vulnerability isn’t an option. This is because ZK and jQuery are deeply integrated with zk-specific customizations. Also, JQuery introduces breaking changes between major versions. Simply replacing jQuery won’t work.
To address this, please upgrade ZK to a patched or non-affected version.
| ZK version | Bundled jQuery Status | Fixed Vulnerabilities |
|---|---|---|
| 9.1.0 or above | 3.5.1 | * CVE-2020-11022 – Affects jQuery versions >= 1.2 and < 3.5.0 * CVE-2020-11023 – Affects jQuery versions >= 1.0.3 and < 3.5.0 |
| 9.0.0 | 1.12.4 | |
| 8.6.4.1 8.6.3.1 8.6.0.2 8.5.1.3 8.5.0.1 |
1.10.2 with security patches | * CVE-2015-9251 (ZK-3724) – Affects jQuery versions < 3.0.0 * CVE-2019-11358 (ZK-4599) – Affects jQuery versions < 3.4.0 |
You can check the zk-bundled jQuery version by this JS variable
jq.fn.jquery.