Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-7656

CWE-79Cross-site Scripting (XSS)28 documents8 sources
Severity
6.1MEDIUM
EPSS
1.1%
top 21.91%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Jquery JqueryNetapp Oncommand System ManagerJuniper Junos+1 more
Timeline
PublishedMay 19
Latest updateApr 8

Description

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "" HTML tags that contain a whitespace character, i.e: "", which results in the enclosed script logic to be executed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages9 packages

NuGetjQuery1.2.11.9.0
npmjquery1.2.11.9.0
RubyGemsjquery-rails< 2.2.0
NVDjquery/jquery< 1.9.0
Mavenorg.webjars.npm:jquery1.2.11.9.0

🔴Vulnerability Details

4
OSV
Cross-Site Scripting in jquery2020-05-20
GHSA
Cross-Site Scripting in jquery2020-05-20
OSV
CVE-2020-7656: jquery prior to 12020-05-19
CVEList
CVE-2020-7656: jquery prior to 12020-05-19

💥Exploits & PoCs

1
Exploit-DB
jQuery 3.3.1 - Prototype Pollution & XSS Exploit2025-04-08

📋Vendor Advisories

2
Oracle
Oracle Oracle PeopleSoft Risk Matrix: PeopleSoft CDA (jQuery) — CVE-2020-76562022-07-15
Red Hat
jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces2020-05-19

💬Community

20
Bugzilla
CVE-2020-7656 pcs: jQuery: allows XSS via the load method [fedora-all]2020-10-08
Bugzilla
CVE-2020-7656 rubygem-jquery-rails: jQuery: allows XSS via the load method [fedora-all]2020-06-23
Bugzilla
CVE-2020-7656 js-jquery2: jQuery: allows XSS via the load method [fedora-all]2020-06-23
Bugzilla
CVE-2020-7656 python-XStatic-jQuery: jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces [epel-7]2020-06-23
Bugzilla
CVE-2020-7656 python-tw-jquery: jQuery: allows XSS via the load method [epel-6]2020-06-23
CVE-2020-7656 (MEDIUM CVSS 6.1) | jquery prior to 1.9.0 allows Cross- | cvebase.io