6.9

CVE-2020-11023

Warning
Exploit

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Data is provided by the National Vulnerability Database (NVD)
JqueryJquery Version >= 1.0.3 < 3.5.0
DebianDebian Linux Version9.0
FedoraprojectFedora Version31
FedoraprojectFedora Version32
FedoraprojectFedora Version33
DrupalDrupal Version >= 7.0 < 7.70
DrupalDrupal Version >= 8.7.0 < 8.7.14
DrupalDrupal Version >= 8.8.0 < 8.8.6
OracleApplication Express Version < 20.2
OracleApplication Testing Suite Version13.3.0.1
OracleBanking Enterprise Collections Version >= 2.7.0 <= 2.8.0
OracleBanking Platform Version >= 2.4.0 <= 2.10.0
OracleBusiness Intelligence Version5.9.0.0.0 SwEditionenterprise
OracleCommunications Analytics Version12.1.1
OracleCommunications Eagle Application Processor Version >= 16.1.0 <= 16.4.0
OracleCommunications Operations Monitor Version >= 4.1 <= 4.3
OracleHealth Sciences Inform Version6.3.0
OracleHyperion Financial Reporting Version11.1.2.4
OracleJd Edwards Enterpriseone Tools Version < 9.2.5.0
OracleOss Support Tools Version < 2.12.41
OraclePrimavera Gateway Version >= 16.2 <= 16.2.11
OraclePrimavera Gateway Version >= 17.12.0 <= 17.12.7
OraclePrimavera Gateway Version >= 18.8.0 <= 18.8.9
OraclePrimavera Gateway Version >= 19.12.0 <= 19.12.4
OracleRest Data Services Version11.2.0.4 SwEdition-
OracleRest Data Services Version12.1.0.2 SwEdition-
OracleRest Data Services Version12.2.0.1 SwEdition-
OracleRest Data Services Version18c SwEdition-
OracleRest Data Services Version19c SwEdition-
OracleSiebel Mobile Version <= 20.12
OracleStoragetek Acsls Version8.5.1
OracleWebcenter Sites Version12.2.1.3.0
OracleWebcenter Sites Version12.2.1.4.0
OracleWeblogic Server Version12.1.3.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH700s Firmware Version-
   NetappH700s Version-
NetappH300e Firmware Version-
   NetappH300e Version-
NetappH500e Firmware Version-
   NetappH500e Version-
NetappH700e Firmware Version-
   NetappH700e Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH410c Firmware Version-
   NetappH410c Version-
NetappMax Data Version-
NetappOncommand Insight Version-
NetappOncommand System Manager Version >= 3.0 <= 3.1.3
NetappSnapcenter Server Version-
TenableLog Correlation Engine Version < 6.0.9

23.01.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

JQuery Cross-Site Scripting (XSS) Vulnerability

Vulnerability

JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 21.32% 0.955
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com 6.9 1.6 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://jquery.com/upgrade-guide/3.5/
Vendor Advisory
Release Notes