Skip to main content

Jquery CVE-2020-11022

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-04-29 security-advisories@github.com
XSS Jquery Drupal Debian Linux Fedora Agile Product Lifecycle Management For Process Application Testing Suite Banking Digital Experience Blockchain Platform Communications Application Session Controller Communications Billing And Revenue Management Communications Diameter Signaling Router Idih Communications Eagle Application Processor Communications Services Gatekeeper Communications Webrtc Session Controller Enterprise Manager Ops Center Enterprise Session Border Controller Financial Services Analytical Applications Infrastructure Financial Services Analytical Applications Reconciliation Framework Financial Services Asset Liability Management Financial Services Balance Sheet Planning Financial Services Basel Regulatory Capital Basic Financial Services Basel Regulatory Capital Internal Ratings Based Approach Financial Services Data Foundation Financial Services Data Governance For Us Regulatory Reporting Financial Services Data Integration Hub Financial Services Funds Transfer Pricing Financial Services Hedge Management And Ifrs Valuations Financial Services Institutional Performance Analytics Financial Services Liquidity Risk Management Financial Services Liquidity Risk Measurement And Management Financial Services Loan Loss Forecasting And Provisioning Financial Services Market Risk Measurement And Management Financial Services Price Creation And Discovery Financial Services Profitability Management Financial Services Regulatory Reporting For European Banking Authority Financial Services Regulatory Reporting For Us Federal Reserve Healthcare Foundation Hospitality Materials Control Hospitality Simphony Insurance Accounting Analyzer Insurance Allocation Manager For Enterprise Profitability Insurance Data Foundation Insurance Insbridge Rating And Underwriting Jdeveloper Peoplesoft Enterprise Peopletools Policy Automation Policy Automation Connector For Siebel Policy Automation For Mobile Devices Retail Back Office Retail Customer Management And Segmentation Foundation Retail Returns Management Siebel Ui Framework Storagetek Acsls Weblogic Server Max Data Oncommand Insight Oncommand System Manager Snap Creator Framework Snapcenter H300s Firmware H500s Firmware H700s Firmware H300E Firmware H500E Firmware H700E Firmware H410s Firmware H410c Firmware Leap Log Correlation Engine Agile Product Supplier Collaboration For Process
6.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 29, 2020 - 22:15 github-advisory
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 npm packages depend on jquery (11 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.12.0.

DescriptionGitHub Advisory

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

AnalysisAI

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Affected products include: Jquery, Drupal, Debian Debian Linux, Fedoraproject Fedora, Oracle Agile Product Lifecycle Management For Process. Version information: before 3.5.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

Share

CVE-2020-11022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy