drupal drupal CVE-2020-11023 vulnerability in Drupal and Other Products
Published on April 29, 2020

Potential XSS vulnerability in jQuery

product logo product logo product logo product logo product logo product logo product logo product logo product logo
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Github Repository Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This JQuery Cross-Site Scripting (XSS) Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.

The following remediation steps are recommended / required by February 13, 2025: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2020-11023 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2020-11023 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2020-11023

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-11023 are published in these products:

Drupal
 
jQuery
 
NetApp Oncommand Insight
 
NetApp Oncommand System Manager
 
NetApp Snapcenter Server
 
NetApp Snap Creator Framework
 
OpenSuse Backports Sle
 
Oracle Application Express
 
Oracle Application Testing Suite
 
Oracle Communications Operations Monitor
 
Oracle Hyperion Financial Reporting
 
Oracle Rest Data Services
 
Oracle Webcenter Sites
 
Oracle Weblogic Server
 
Debian Linux
 
Fedora Project Fedora
 
OpenSuse Leap
 
Oracle Banking Enterprise Collections
 
Oracle Banking Platform
 
Oracle Communications Analytics
 
Oracle Communications Element Manager
 
Oracle Communications Interactive Session Recorder
 
Oracle Communications Session Report Manager
 
Oracle Communications Session Route Manager
 
Oracle Financial Services Regulatory Reporting De Nederlandsche Bank
 
Oracle Healthcare Translational Research
 
Oracle Jd Edwards Enterpriseone Orchestrator
 
Oracle Jd Edwards Enterpriseone Tools
 
Oracle Peoplesoft Enterprise Human Capital Management Resources
 
Oracle Primavera Gateway
 
Oracle Siebel Mobile
 
Oracle Storagetek Tape Analytics Sw Tool
 
NetApp Max Data
 
Oracle Financial Services Revenue Management Billing Analytics
 
Oracle Health Sciences Inform
 
Oracle Oss Support Tools
 
Tenable Log Correlation Engine
 
Oracle Communications Eagle Application Processor
 
Oracle Communications Services Gatekeeper
 
Oracle Storagetek Acsls
 
Oracle Business Intelligence
 
Oracle
 
Oracle Blockchain Platform
 
NetApp Cloud Backup
 
NetApp Active Iq Unified Manager
 
NetApp Cloud Insights Storage Workload Security Agent
 
NetApp Hci Baseboard Management Controller
 
Canonical Ubuntu Linux
 

Affected Versions

jQuery Version >= 1.0.3, < 3.5.0 is affected by CVE-2020-11023

Vulnerable Packages

The following package name and versions may be associated with CVE-2020-11023

Package Manager Vulnerable Package Versions Fixed In
npm jquery >= 1.0.3, < 3.5.0 3.5.0
composer privatebin/privatebin >= 0.21, < 1.4.0 1.4.0

Exploit Probability

EPSS
36.28%
Percentile
97.01%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.