drupal drupal CVE-2020-11022 vulnerability in Drupal and Other Products
Published on April 29, 2020

Potential XSS vulnerability in jQuery

product logo product logo product logo product logo product logo product logo product logo product logo product logo
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Github Repository Github Repository Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2020-11022 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2020-11022 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2020-11022

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-11022 are published in these products:

Drupal
 
jQuery
 
NetApp Oncommand Insight
 
NetApp Oncommand System Manager
 
NetApp Snapcenter
 
NetApp Snap Creator Framework
 
OpenSuse Backports Sle
 
Oracle Application Testing Suite
 
Oracle Banking Digital Experience
 
Oracle Communications Webrtc Session Controller
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Financial Services Asset Liability Management
 
Oracle Financial Services Balance Sheet Planning
 
Oracle Financial Services Data Foundation
 
Oracle Financial Services Funds Transfer Pricing
 
Oracle Financial Services Hedge Management Ifrs Valuations
 
Oracle Financial Services Liquidity Risk Management
 
Oracle Financial Services Loan Loss Forecasting Provisioning
 
Oracle Financial Services Market Risk Measurement Management
 
Oracle Financial Services Price Creation Discovery
 
Oracle Financial Services Profitability Management
 
Oracle Hospitality Materials Control
 
Oracle Jdeveloper
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Policy Automation Connector Siebel
 
Oracle Retail Back Office
 
Oracle Retail Customer Management Segmentation Foundation
 
Oracle Retail Returns Management
 
Oracle Weblogic Server
 
Debian Linux
 
Fedora Project Fedora
 
OpenSuse Leap
 
Oracle Agile Product Supplier Collaboration Process
 
Oracle Communications Application Session Controller
 
Oracle Communications Billing Revenue Management
 
Oracle Communications Diameter Signaling Router Idih
 
Oracle Enterprise Manager Ops Center
 
Oracle Enterprise Session Border Controller
 
Oracle Financial Services Analytical Applications Reconciliation Framework
 
Oracle Financial Services Basel Regulatory Capital Basic
 
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
 
Oracle Financial Services Data Governance Us Regulatory Reporting
 
Oracle Financial Services Data Integration Hub
 
Oracle Financial Services Institutional Performance Analytics
 
Oracle Financial Services Liquidity Risk Measurement Management
 
Oracle Financial Services Regulatory Reporting European Banking Authority
 
Oracle Financial Services Regulatory Reporting Us Federal Reserve
 
Oracle Healthcare Foundation
 
Oracle Hospitality Simphony
 
Oracle Insurance Accounting Analyzer
 
Oracle Insurance Allocation Manager Enterprise Profitability
 
Oracle Insurance Data Foundation
 
Oracle Insurance Insbridge Rating Underwriting
 
Oracle Policy Automation
 
Oracle Policy Automation Mobile Devices
 
Oracle Siebel Ui Framework
 
NetApp Max Data
 
Oracle Agile Product Lifecycle Management Process
 
Tenable Log Correlation Engine
 
Oracle Communications Eagle Application Processor
 
Oracle Communications Services Gatekeeper
 
Oracle Blockchain Platform
 
Oracle Storagetek Acsls
 
Oracle
 
Canonical Ubuntu Linux
 

Affected Versions

jQuery Version >= 1.2, < 3.5.0 is affected by CVE-2020-11022

Vulnerable Packages

The following package name and versions may be associated with CVE-2020-11022

Package Manager Vulnerable Package Versions Fixed In
npm jquery >= 1.2, < 3.5.0 3.5.0
composer october/october >= 1.0.319, < 1.0.466 1.0.466
composer october/system >= 1.0.319, < 1.0.466 1.0.466
composer privatebin/privatebin >= 0.21, < 1.4.0 1.4.0

Exploit Probability

EPSS
7.24%
Percentile
91.44%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.