Potential XSS vulnerability in jQuery
CVE-2020-11022

6.9MEDIUM

Key Information:

Vendor

Jquery

Status
Jquery
Vendor
CVE Published:
29 April 2020

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2020-11022?

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Affected Version(s)

jQuery >= 1.12.0, < 3.5.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-11022-CVE-2020-11023
Created by 0xAJ2K

https-nj.gov---CVE-2020-11022
Created by Snorlyd

References

https://github.com/jquery/jquery/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/maximebf/php-debugbar/issues/447
x_refsource_MISC
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82...
x_refsource_MISC

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.