⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2020-11022

CWE-79Cross-site Scripting (XSS)119 documents15 sources
Severity
6.1MEDIUM
EPSS
2.1%
top 15.81%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
62
Drupal DrupalJquery JqueryOracle Blockchain Platform+59 more
Timeline
PublishedApr 29
Latest updateApr 14

Description

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 1.6 | Impact: 4.7

Affected Packages65 packages

NuGetjquery1.2.03.5.0
npmjquery1.2.03.5.0
RubyGemsjquery-rails< 4.4.0
NVDjquery/jquery1.23.5.0
Packagistcomponents/jquery1.2.03.5.0

Also affects: Debian Linux 9.0, Fedora 31, 32, 33

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

78
VulDB
Oracle Commerce Merchandising 11.3.0/11.3.1/11.3.2 Business Control Center cross site scripting (EDB-49766 / Nessus ID 209233)2026-04-14
VulDB
Oracle Agile Product Lifecycle Management for Process 6.2.0.0 Supplier Portal cross site scripting (EDB-49766 / Nessus ID 209233)2026-04-14
VulDB
Oracle Siebel UI Framework 20.8 UIF Open UI cross site scripting (EDB-49766 / Nessus ID 209233)2026-04-14
VulDB
Oracle WebCenter Sites 12.2.1.3.0/12.2.1.4.0 cross site scripting (EDB-49766 / Nessus ID 209233)2026-04-14
VulDB
Oracle JD Edwards EnterpriseOne Tools up to 9.2.4.x Web Runtime cross site scripting (EDB-49766 / Nessus ID 209233)2026-04-14

💥Exploits & PoCs

1
Exploit-DB
jQuery 1.2 - Cross-Site Scripting (XSS)2021-04-14

📋Vendor Advisories

17
Ubuntu
Drupal vulnerabilities2025-07-21
Ubuntu
jQuery vulnerabilities2025-07-08
Ubuntu
jQuery vulnerabilities2025-01-30
Oracle
Oracle Oracle Utilities Applications Risk Matrix: General (jQuery) — CVE-2020-110222024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Platform (HTTP) — CVE-2020-110222022-10-15

🕵️Threat Intelligence

1
Huntress
CVE-2020-11022 Vulnerability | Huntress

💬Community

21
HackerOne
CVE-2020-11022: CVE-2020-11022 ## Summary: CVE-2020-11022 at " https://app2023-05-18
Bugzilla
CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method2020-04-27
Bugzilla
CVE-2020-11022 python-tw2-jquery: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method [fedora-all]2020-04-27
Bugzilla
CVE-2020-11022 python-XStatic-jQuery: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method [epel-7]2020-04-27
Bugzilla
CVE-2020-11022 drupal7: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method [fedora-all]2020-04-27