CVE-2020-11023 vulnerability in Drupal and Other Products
Published on April 29, 2020

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Vulnerability Analysis

CVE-2020-11023 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Products Associated with CVE-2020-11023

You can be notified by stack.watch whenever vulnerabilities like CVE-2020-11023 are published in these products:

Drupal

  Watch

 

jQuery

  Watch

 

NetApp Oncommand Insight

  Watch

 

NetApp Oncommand System Manager

  Watch

 

NetApp Snapcenter Server

  Watch

 

NetApp Snap Creator Framework

  Watch

 

OpenSuse Backports Sle

  Watch

 

Oracle Application Express

  Watch

 

Oracle Application Testing Suite

  Watch

 

Oracle Communications Operations Monitor

  Watch

 

Oracle Hyperion Financial Reporting

  Watch

 

Oracle Rest Data Services

  Watch

 

Oracle Webcenter Sites

  Watch

 

Oracle Weblogic Server

  Watch

 

Debian Linux

  Watch

 

Fedora Project Fedora

  Watch

 

OpenSuse Leap

  Watch

 

Oracle Banking Enterprise Collections

  Watch

 

Oracle Banking Platform

  Watch

 

Oracle Communications Analytics

  Watch

 

Oracle Communications Element Manager

  Watch

 

Oracle Communications Interactive Session Recorder

  Watch

 

Oracle Communications Session Report Manager

  Watch

 

Oracle Communications Session Route Manager

  Watch

 

Oracle Financial Services Regulatory Reporting De Nederlandsche Bank

  Watch

 

Oracle Healthcare Translational Research

  Watch

 

Oracle Jd Edwards Enterpriseone Orchestrator

  Watch

 

Oracle Jd Edwards Enterpriseone Tools

  Watch

 

Oracle Peoplesoft Enterprise Human Capital Management Resources

  Watch

 

Oracle Primavera Gateway

  Watch

 

Oracle Siebel Mobile

  Watch

 

Oracle Storagetek Tape Analytics Sw Tool

  Watch

 

NetApp Max Data

  Watch

 

Oracle Financial Services Revenue Management Billing Analytics

  Watch

 

Oracle Health Sciences Inform

  Watch

 

Oracle Oss Support Tools

  Watch

 

Tenable Log Correlation Engine

  Watch

 

Oracle Communications Eagle Application Processor

  Watch

 

Oracle Communications Services Gatekeeper

  Watch

 

Oracle Storagetek Acsls

  Watch

 

Oracle Business Intelligence

  Watch

 

Oracle

  Watch

 

Oracle Blockchain Platform

  Watch

 

NetApp Cloud Backup

  Watch

 

NetApp Active Iq Unified Manager

  Watch

 

NetApp Cloud Insights Storage Workload Security Agent

  Watch

 

NetApp Hci Baseboard Management Controller

  Watch

 

What versions are vulnerable to CVE-2020-11023?

•   jQuery Version 1.0.3 Fixed in Version 3.5.0

•   Debian Linux Version 9.0

•   Fedora Project Fedora Version 31
•   Fedora Project Fedora Version 32
•   Fedora Project Fedora Version 33

•   Drupal Version 7.0 Fixed in Version 7.70
•   Drupal Version 8.7.0 Fixed in Version 8.7.14
•   Drupal Version 8.8.0 Fixed in Version 8.8.6

•   Oracle Weblogic Server Version 12.1.3.0.0
•   Oracle Hyperion Financial Reporting Version 11.1.2.4
•   Oracle Weblogic Server Version 12.2.1.3.0
•   Oracle Webcenter Sites Version 12.2.1.3.0
•   Oracle Application Testing Suite Version 13.3.0.1
•   Oracle Communications Operations Monitor Version 3.4
•   Oracle Weblogic Server Version 12.2.1.4.0
•   Oracle Webcenter Sites Version 12.2.1.4.0
•   Oracle Weblogic Server Version 14.1.1.0.0
•   Oracle Communications Interactive Session Recorder Version 6.1 through 6.4
•   Oracle Communications Element Manager Version 8.2.0
•   Oracle Communications Element Manager Version 8.2.1
•   Oracle Communications Element Manager Version 8.1.1
•   Oracle Application Express Fixed in Version 20.2
•   Oracle Rest Data Services Version 12.2.0.1
•   Oracle Rest Data Services Version 12.1.0.2
•   Oracle Rest Data Services Version 11.2.0.4
•   Oracle Rest Data Services Version 18c
•   Oracle Rest Data Services Version 19c
•   Oracle Communications Services Gatekeeper Version 7.0
•   Oracle Storagetek Tape Analytics Sw Tool Version 2.3.1
•   Oracle Communications Session Report Manager Version 8.1.1
•   Oracle Communications Session Report Manager Version 8.2.0
•   Oracle Communications Session Report Manager Version 8.2.1
•   Oracle Communications Session Route Manager Version 8.1.1
•   Oracle Communications Session Route Manager Version 8.2.0
•   Oracle Communications Session Route Manager Version 8.2.1
•   Oracle Primavera Gateway Version 16.2 through 16.2.11
•   Oracle Primavera Gateway Version 17.12.0 through 17.12.7
•   Oracle Siebel Mobile Up to Version 20.12
•   Oracle Peoplesoft Enterprise Human Capital Management Resources Version 9.2
•   Oracle Financial Services Regulatory Reporting De Nederlandsche Bank Version 8.0.4
•   Oracle Jd Edwards Enterpriseone Tools Fixed in Version 9.2.5.0
•   Oracle Banking Enterprise Collections Version 2.7.0 through 2.8.0
•   Oracle Jd Edwards Enterpriseone Orchestrator Fixed in Version 9.2.5.0
•   Oracle Banking Platform Version 2.4.0 through 2.10.0
•   Oracle Primavera Gateway Version 19.12.0 through 19.12.4
•   Oracle Primavera Gateway Version 18.8.0 through 18.8.9
•   Oracle Communications Operations Monitor Version 4.1 through 4.3
•   Oracle Communications Analytics Version 12.1.1
•   Oracle Healthcare Translational Research Version 3.3.1
•   Oracle Healthcare Translational Research Version 3.3.2
•   Oracle Healthcare Translational Research Version 3.4.0
•   Oracle Healthcare Translational Research Version 3.2.1
•   Oracle Oss Support Tools Fixed in Version 2.12.41
•   Oracle Financial Services Revenue Management Billing Analytics Version 2.7
•   Oracle Financial Services Revenue Management Billing Analytics Version 2.8
•   Oracle Health Sciences Inform Version 6.3.0
•   Oracle Business Intelligence Version 5.9.0.0.0
•   Oracle Communications Eagle Application Processor Version 16.1.0 through 16.4.0
•   Oracle Storagetek Acsls Version 8.5.1
•   Oracle Blockchain Platform Version 21.1.2
•   Oracle Blockchain Platform Fixed in Version 21.1.2

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

•   NetApp Snap Creator Framework Version -
•   NetApp Cloud Backup Version -
•   NetApp Snapcenter Server Version -
•   NetApp Oncommand Insight Version -
•   NetApp Oncommand System Manager Version 3.0 through 3.1.3
•   NetApp Max Data Version -
•   NetApp Active Iq Unified Manager Version - linux
•   NetApp Active Iq Unified Manager Version - vsphere
•   NetApp Active Iq Unified Manager Version - windows
•   NetApp Cloud Insights Storage Workload Security Agent Version -
•   NetApp Hci Baseboard Management Controller Version -

•   Tenable Log Correlation Engine Fixed in Version 6.0.9

Vulnerable Packages

The following package name and versions may be associated with CVE-2020-11023