⚠ Actively exploited

Added to CISA KEV on 2025-01-23. Federal agencies required to patch by 2025-02-13. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2020-11023 — Cross-site Scripting in Jquery

CWE-79 — Cross-site Scripting44 documents15 sources

Severity

6.1MEDIUMNVD

CNA6.9VulnCheck6.9

EPSS

42.1%

top 2.55%

CISA KEV

KEV

Added 2025-01-23

Due 2025-02-13

Exploit

Exploited in wild

Active exploitation observed

Affected products

Drupal Jquery Oracle Application Express +35 more

Timeline

PublishedApr 29

KEV addedJan 23

KEV dueFeb 13

Latest updateJul 21

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages39 packages

▶NVDjquery/jquery1.0.3 — 3.5.0

▶NuGetjquery/jquery1.0.3 — 3.5.0

▶npmjquery/jquery1.0.3 — 3.5.0

▶Packagistcomponents/jquery1.0.3 — 3.5.0

▶CVEListV5jquery/jquery>= 1.0.3, < 3.5.0

Also affects: Debian Linux 9.0, Fedora 31, 32, 33

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Potential XSS vulnerability in jQuery↗2020-04-29

▶

OSV

CVE-2020-11023: In jQuery versions greater than or equal to 1↗2020-04-29

▶

CVEList

Potential XSS vulnerability in jQuery↗2020-04-29

▶

GHSA

Potential XSS vulnerability in jQuery↗2020-04-29

▶

VulnCheck

JQuery Cross-Site Scripting (XSS) Vulnerability↗2020

▶

💥Exploits & PoCs

Exploit-DB

jQuery 1.0.3 - Cross-Site Scripting (XSS)↗2021-04-14

▶

📋Vendor Advisories

Ubuntu

Drupal vulnerabilities↗2025-07-21

▶

Ubuntu

jQuery vulnerabilities↗2025-07-08

▶

Ubuntu

jQuery vulnerabilities↗2025-01-30

▶

CISA

JQuery Cross-Site Scripting (XSS) Vulnerability↗2025-01-23

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (jQuery) — CVE-2020-11023↗2024-10-15

▶

🕵️Threat Intelligence

Huntress

CVE-2020-11023 Vulnerability: Analysis, Detection, Removal | Huntress↗

▶

💬Community

Bugzilla

CVE-2020-11023 pcs: jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution [fedora-all]↗2020-09-24

▶

Bugzilla

CVE-2020-11023 python-tw2-jquery: jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution [epel-6]↗2020-06-23

▶

Bugzilla

CVE-2020-11023 python-XStatic-jQuery: jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution [fedora-all]↗2020-06-23

▶

Bugzilla

CVE-2020-11023 python-XStatic-jquery-ui: jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution [epel-7]↗2020-06-23

▶

Bugzilla

CVE-2020-11023 python-tw2-jquery: jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods [epel-7]↗2020-06-23

▶