CVE-2020-11023: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one…

medium6.1CVSS 3.1

AVNACLPRNUIRSCCLILAN

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2025-02-13

Exploited in the wild

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Affected

77 ranges· showing 25

Vendor	Product	Version range	Fixed in
components	jquery	>= 1.0.3 < 3.5.0	3.5.0
debian	debian_linux	—	—
debian	node-jquery	< node-jquery 3.5.0+dfsg-2 (bookworm)	node-jquery 3.5.0+dfsg-2 (bookworm)
debian	otrs2	< node-jquery 3.5.0+dfsg-2 (bookworm)	node-jquery 3.5.0+dfsg-2 (bookworm)
drupal	core	>= 8.0.0 < 8.7.14	8.7.14
drupal	core	>= 8.8.0 < 8.8.6	8.8.6
drupal	drupal	>= 7.0 < 7.70	7.70
drupal	drupal	>= 8.7.0 < 8.7.14	8.7.14
drupal	drupal	>= 8.8.0 < 8.8.6	8.8.6
drupal	drupal_core	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
jquery	jquery	—	—
jquery	jquery	>= 0 < 1.7.2+dfsg-2ubuntu1+esm1	1.7.2+dfsg-2ubuntu1+esm1
jquery	jquery	>= 0 < 1.11.3+dfsg-4ubuntu0.1~esm1	1.11.3+dfsg-4ubuntu0.1~esm1
jquery	jquery	>= 0 < 3.2.1-1ubuntu0.1~esm1	3.2.1-1ubuntu0.1~esm1
jquery	jquery	>= 1.0.3 < 3.5.0	3.5.0
jquery	jquery	>= 1.0.3 < 3.5.0	3.5.0
jquery	jquery	>= 1.0.3 < 3.5.0	3.5.0
netapp	oncommand_system_manager	3.0 – 3.1.3	—
oracle	application_express	< 20.2	20.2
oracle	application_testing_suite	—	—
oracle	banking_enterprise_collections	2.7.0 – 2.8.0	—
oracle	banking_platform	2.4.0 – 2.10.0	—

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

osv6.1MEDIUM

vulncheck6.9MEDIUM

cisa6.1MEDIUM