6.9

CVE-2020-11022

Exploit

jQuery has a potential XSS vulnerability

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JqueryJquery Version >= 1.2 < 3.5.0
DrupalDrupal Version >= 7.0 < 7.70
DrupalDrupal Version >= 8.7.0 < 8.7.14
DrupalDrupal Version >= 8.8.0 < 8.8.6
DebianDebian Linux Version9.0
FedoraprojectFedora Version31
FedoraprojectFedora Version32
FedoraprojectFedora Version33
OracleApplication Testing Suite Version13.3.0.1
OracleBlockchain Platform Version < 21.1.2
OracleCommunications Eagle Application Processor Version >= 16.1.0 <= 16.4.0
OracleFinancial Services Data Foundation Version >= 8.0.6 <= 8.1.0
OracleHealthcare Foundation Version7.1.1
OracleHealthcare Foundation Version7.2.0
OracleHealthcare Foundation Version7.2.1
OracleHealthcare Foundation Version7.3.0
OracleHospitality Simphony Version >= 19.1.0 <= 19.1.2
OracleHospitality Simphony Version18.1
OracleHospitality Simphony Version18.2
OracleInsurance Data Foundation Version >= 8.0.6 <= 8.1.0
OracleInsurance Insbridge Rating And Underwriting Version >= 5.0.0.0 <= 5.6.0.0
OracleJdeveloper Version11.1.1.9.0
OracleJdeveloper Version12.2.1.3.0
OracleJdeveloper Version12.2.1.4.0
OraclePolicy Automation Version >= 12.2.0 <= 12.2.20
OraclePolicy Automation For Mobile Devices Version >= 12.2.0 <= 12.2.20
OracleRetail Back Office Version14.0
OracleRetail Back Office Version14.1
OracleSiebel Ui Framework Version20.8
OracleStoragetek Acsls Version8.5.1
OracleWeblogic Server Version10.3.6.0.0
OracleWeblogic Server Version12.1.3.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
NetappMax Data Version-
NetappOncommand Insight Version-
NetappOncommand System Manager Version >= 3.0 <= 3.1.3
NetappSnapcenter Version-
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH700s Firmware Version-
   NetappH700s Version-
NetappH300e Firmware Version-
   NetappH300e Version-
NetappH500e Firmware Version-
   NetappH500e Version-
NetappH700e Firmware Version-
   NetappH700e Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH410c Firmware Version-
   NetappH410c Version-
OpensuseLeap Version15.1
OpensuseLeap Version15.2
TenableLog Correlation Engine Version < 6.0.9
OracleBanking Digital Experience Version >= 18.1 <= 20.1
OracleFinancial Services Data Foundation Version >= 8.0.6 <= 8.1.0
OracleHealthcare Foundation Version7.1.1
OracleHealthcare Foundation Version7.2.0
OracleHealthcare Foundation Version7.2.1
OracleHealthcare Foundation Version7.3.0
OracleHospitality Simphony Version18.1
OracleHospitality Simphony Version18.2
OracleHospitality Simphony Version19.1.0-19.1.2
OracleInsurance Data Foundation Version8.0.6-8.1.0
OracleInsurance Insbridge Rating And Underwriting Version >= 5.0.0.0 <= 5.6.0.0
OracleJdeveloper Version11.1.1.9.0
OracleJdeveloper Version12.2.1.3.0
OracleJdeveloper Version12.2.1.4.0
OraclePolicy Automation Version >= 12.2.0 <= 12.2.20
OraclePolicy Automation For Mobile Devices Version >= 12.2.0 <= 12.2.20
OracleRetail Back Office Version14.0
OracleRetail Back Office Version14.1
OracleSiebel Ui Framework Version20.8
OracleWeblogic Server Version10.3.6.0.0
OracleWeblogic Server Version12.1.3.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.02% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com 6.9 1.6 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://www.oracle.com/security-alerts/cpujul2021.html
https://www.tenable.com/security/tns-2020-11
Third Party Advisory
https://www.tenable.com/security/tns-2021-10
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
Broken Link
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
https://jquery.com/upgrade-guide/3.5/
Vendor Advisory
Mitigation
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
https://security.gentoo.org/glsa/202007-03
Third Party Advisory
https://security.netapp.com/advisory/ntap-20200511-0006/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4693
Third Party Advisory
https://www.drupal.org/sa-core-2020-002
Third Party Advisory
https://www.tenable.com/security/tns-2021-02
Third Party Advisory
http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
Third Party Advisory
Exploit
VDB Entry
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Vendor Advisory
Release Notes
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
Patch
Third Party Advisory
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
Third Party Advisory
Mitigation
https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3Ccommits.airflow.apache.org%3E
https://www.tenable.com/security/tns-2020-10
Third Party Advisory
http://security.netapp.com/advisory/ntap-20200511-0006
https://github.com/jquery/jquery/releases/tag/3.5.0
https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
https://github.com/maximebf/php-debugbar/issues/447
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml
https://jquery.com/upgrade-guide/3.5
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html