6.9

CVE-2020-11022

Exploit

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Data is provided by the National Vulnerability Database (NVD)
JqueryJquery Version >= 1.2 < 3.5.0
DrupalDrupal Version >= 7.0 < 7.70
DrupalDrupal Version >= 8.7.0 < 8.7.14
DrupalDrupal Version >= 8.8.0 < 8.8.6
DebianDebian Linux Version9.0
FedoraprojectFedora Version31
FedoraprojectFedora Version32
FedoraprojectFedora Version33
OracleApplication Testing Suite Version13.3.0.1
OracleBlockchain Platform Version < 21.1.2
OracleCommunications Eagle Application Processor Version >= 16.1.0 <= 16.4.0
OracleFinancial Services Data Foundation Version >= 8.0.6 <= 8.1.0
OracleHealthcare Foundation Version7.1.1
OracleHealthcare Foundation Version7.2.0
OracleHealthcare Foundation Version7.2.1
OracleHealthcare Foundation Version7.3.0
OracleHospitality Simphony Version >= 19.1.0 <= 19.1.2
OracleHospitality Simphony Version18.1
OracleHospitality Simphony Version18.2
OracleInsurance Data Foundation Version >= 8.0.6 <= 8.1.0
OracleInsurance Insbridge Rating And Underwriting Version >= 5.0.0.0 <= 5.6.0.0
OracleJdeveloper Version11.1.1.9.0
OracleJdeveloper Version12.2.1.3.0
OracleJdeveloper Version12.2.1.4.0
OraclePolicy Automation Version >= 12.2.0 <= 12.2.20
OraclePolicy Automation For Mobile Devices Version >= 12.2.0 <= 12.2.20
OracleRetail Back Office Version14.0
OracleRetail Back Office Version14.1
OracleSiebel Ui Framework Version20.8
OracleStoragetek Acsls Version8.5.1
OracleWeblogic Server Version10.3.6.0.0
OracleWeblogic Server Version12.1.3.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
NetappMax Data Version-
NetappOncommand Insight Version-
NetappOncommand System Manager Version >= 3.0 <= 3.1.3
NetappSnapcenter Version-
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH700s Firmware Version-
   NetappH700s Version-
NetappH300e Firmware Version-
   NetappH300e Version-
NetappH500e Firmware Version-
   NetappH500e Version-
NetappH700e Firmware Version-
   NetappH700e Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH410c Firmware Version-
   NetappH410c Version-
OpensuseLeap Version15.1
OpensuseLeap Version15.2
TenableLog Correlation Engine Version < 6.0.9
OracleBanking Digital Experience Version >= 18.1 <= 20.1
OracleFinancial Services Data Foundation Version >= 8.0.6 <= 8.1.0
OracleHealthcare Foundation Version7.1.1
OracleHealthcare Foundation Version7.2.0
OracleHealthcare Foundation Version7.2.1
OracleHealthcare Foundation Version7.3.0
OracleHospitality Simphony Version18.1
OracleHospitality Simphony Version18.2
OracleHospitality Simphony Version19.1.0-19.1.2
OracleInsurance Data Foundation Version8.0.6-8.1.0
OracleInsurance Insbridge Rating And Underwriting Version >= 5.0.0.0 <= 5.6.0.0
OracleJdeveloper Version11.1.1.9.0
OracleJdeveloper Version12.2.1.3.0
OracleJdeveloper Version12.2.1.4.0
OraclePolicy Automation Version >= 12.2.0 <= 12.2.20
OraclePolicy Automation For Mobile Devices Version >= 12.2.0 <= 12.2.20
OracleRetail Back Office Version14.0
OracleRetail Back Office Version14.1
OracleSiebel Ui Framework Version20.8
OracleWeblogic Server Version10.3.6.0.0
OracleWeblogic Server Version12.1.3.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 22.55% 0.956
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com 6.9 1.6 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://jquery.com/upgrade-guide/3.5/
Vendor Advisory
Mitigation