cbcvebase.
CVE-2020-11022
published 2020-04-29

CVE-2020-11022: In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods…

medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOIT
Exploited in the wild
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Affected

130 ranges· showing 25
VendorProductVersion rangeFixed in
athlon1600youtube-downloader0 – 4.0.0
componentsjquery>= 1.12.0 < 3.5.03.5.0
componentsjquery>= 1.2.0 < 3.5.03.5.0
debiandebian_linux
debiannode-jquery< node-jquery 3.5.0+dfsg-2 (bookworm)node-jquery 3.5.0+dfsg-2 (bookworm)
debianotrs2< node-jquery 3.5.0+dfsg-2 (bookworm)node-jquery 3.5.0+dfsg-2 (bookworm)
drupalcore>= 8.0.0 < 8.7.148.7.14
drupalcore>= 8.8.0 < 8.8.68.8.6
drupaldrupal>= 7.0 < 7.707.70
drupaldrupal>= 8.7.0 < 8.7.148.7.14
drupaldrupal>= 8.8.0 < 8.8.68.8.6
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
jqueryjquery
jqueryjquery>= 0 < 1.7.2+dfsg-2ubuntu1+esm11.7.2+dfsg-2ubuntu1+esm1
jqueryjquery>= 0 < 1.11.3+dfsg-4ubuntu0.1~esm11.11.3+dfsg-4ubuntu0.1~esm1
jqueryjquery>= 0 < 3.2.1-1ubuntu0.1~esm13.2.1-1ubuntu0.1~esm1
jqueryjquery>= 1.12.0 < 3.5.03.5.0
jqueryjquery>= 1.12.0 < 3.5.03.5.0
jqueryjquery>= 1.2 < 3.5.03.5.0
jqueryjquery>= 1.2.0 < 3.5.03.5.0
jqueryjquery>= 1.2.0 < 3.5.03.5.0
maximebfdebugbar>= 0 < 1.19.01.19.0

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vulncheck6.9MEDIUM