Potential XSS vulnerability in jQuery
CVE-2020-11022

6.9MEDIUM

Key Information:

Vendor
Jquery
Status
Jquery
Vendor
CVE Published:
29 April 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Affected Version(s)

jQuery >= 1.2, < 3.5.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-11022-CVE-2020-11023
Created by 0xAJ2K

https-nj.gov---CVE-2020-11022
Created by Snorlyd

References

https://www.debian.org/security/2020/dsa-4693
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.