#VU27519 Cross-site scripting in jQuery - CVE-2020-11023


| Updated: 2025-01-23

Vulnerability identifier: #VU27519

Vulnerability risk: Low

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:A/U:Clear]

CVE-ID: CVE-2020-11023

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
jQuery
Web applications / JS libraries

Vendor: The jQuery Team

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jQuery: 1.0 - 3.4.1

External links
https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Anolis OS update for doxygen
Anolis OS update for gcc
Multiple vulnerabilities in OpenShift Logging 5.8
Multiple vulnerabilities in Multicluster GlobalHub 1.2
Anolis OS update for gcc
Anolis OS update for gcc-toolset-13-gcc
Anolis OS update for doxygen
Anolis OS update for tbb
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.18
Multiple vulnerabilities in Red Hat OpenShift Dev Spaces 3.19