jQuery has a potential XSS vulnerability
Summary
| CVE | CVE-2020-11022 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-04-29 22:15:11 UTC |
| Updated | 2026-04-13 15:16:29 UTC |
| Description | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
Risk And Classification
Primary CVSS: v3.1 6.1 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Problem Types: CWE-79 | CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| 3.1 | [email protected] | Secondary | 6.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
| 3.1 | CNA | DECLARED | 6.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:M/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | [email protected] | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| [SECURITY] Fedora 33 Update: drupal7-7.72-1.fc33 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - April 2022 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| [SECURITY] Fedora 32 Update: drupal7-7.70-1.fc32 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002 | Drupal.org | af854a3a-2127-422b-91ae-364da2661108 | www.drupal.org | Third Party Advisory |
| security.netapp.com/advisory/ntap-20200511-0006 | [email protected] | security.netapp.com | |
| Pony Mail! | [email protected] | lists.apache.org | |
| [SECURITY] Fedora 31 Update: drupal7-7.72-1.fc31 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - October 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| Pony Mail! | [email protected] | lists.apache.org | |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | [email protected] | lists.fedoraproject.org | |
| github.com/jquery/jquery/releases/tag/3.5.0 | [email protected] | github.com | |
| Oracle Critical Patch Update Advisory - July 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| [SECURITY] [DLA 2608-1] jquery security update | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780d... | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Cacti: Multiple vulnerabilities (GLSA 202007-03) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| [R1] Nessus Network Monitor 5.13.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable® | af854a3a-2127-422b-91ae-364da2661108 | www.tenable.com | Third Party Advisory |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | [email protected] | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - January 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| May 2020 jQuery Vulnerabilities in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | Third Party Advisory |
| jquery.com/upgrade-guide/3.5 | [email protected] | jquery.com | |
| [SECURITY] [DLA 3551-1] otrs2 security update | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| Pony Mail! | [email protected] | lists.apache.org | |
| Pony Mail! | [email protected] | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| blog.jquery.com/2020/04/10/jquery-3-5-0-released | [email protected] | blog.jquery.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update Advisory - January 2022 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2022 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | [email protected] | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: drupal8-8.9.0-1.fc32 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - April 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html | [email protected] | lists.opensuse.org | |
| jQuery 3.5.0 Released! | Official jQuery Blog | af854a3a-2127-422b-91ae-364da2661108 | blog.jquery.com | Release Notes, Vendor Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | [email protected] | lists.fedoraproject.org | |
| packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html | [email protected] | packetstormsecurity.com | |
| jQuery Core 3.5 Upgrade Guide | jQuery | af854a3a-2127-422b-91ae-364da2661108 | jquery.com | Mitigation, Vendor Advisory |
| [R1] LCE 6.0.9 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable® | af854a3a-2127-422b-91ae-364da2661108 | www.tenable.com | Third Party Advisory |
| Potential XSS vulnerability in jQuery.htmlPrefilter and related methods · Advisory · jquery/jquery · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Mitigation, Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | [email protected] | lists.apache.org | |
| Manipulation: Make jQuery.htmlPrefilter an identity function · jquery/jquery@1d61fd9 · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch, Third Party Advisory |
| Pony Mail! | [email protected] | lists.apache.org | |
| github.com/maximebf/php-debugbar/issues/447 | [email protected] | github.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| www.oracle.com/security-alerts/cpujul2021.html | [email protected] | www.oracle.com | |
| [security-announce] openSUSE-SU-2020:1888-1: moderate: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Broken Link |
| [R1] Nessus 8.13.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable® | af854a3a-2127-422b-91ae-364da2661108 | www.tenable.com | Third Party Advisory |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | [email protected] | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: drupal7-7.72-1.fc32 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html | [email protected] | lists.opensuse.org | |
| [security-announce] openSUSE-SU-2020:1106-1: moderate: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Broken Link |
| Pony Mail! | [email protected] | lists.apache.org | |
| Pony Mail! | [email protected] | lists.apache.org | |
| [R1] Tenable.sc 5.17.0 Fixes Multiple Vulnerabilities - Security Advisory | Tenable® | af854a3a-2127-422b-91ae-364da2661108 | www.tenable.com | Third Party Advisory |
| Pony Mail! | [email protected] | lists.apache.org | |
| github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-20... | [email protected] | github.com | |
| Debian -- Security Information -- DSA-4693-1 drupal7 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2020 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcf... | [email protected] | github.com | |
| Pony Mail! | [email protected] | lists.apache.org | |
| lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html | [email protected] | lists.opensuse.org | |
| jQuery 1.2 Cross Site Scripting ≈ Packet Storm | af854a3a-2127-422b-91ae-364da2661108 | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| [security-announce] openSUSE-SU-2020:1060-1: moderate: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Broken Link |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| [SECURITY] Fedora 32 Update: drupal7-7.72-1.fc32 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: drupal7-7.70-1.fc32 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: drupal8-8.9.0-1.fc32 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| [SECURITY] Fedora 31 Update: drupal7-7.72-1.fc31 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| [SECURITY] Fedora 33 Update: drupal7-7.72-1.fc33 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 10083 Atlassian Jira Cross-Site Scripting Vulnerability(JRASERVER-72052)
- 14011 Ansible Tower Security Update 3.8.2 Multiple Vulnerabilities
- 159652 Oracle Enterprise Linux Security Update for idm:dl1 and idm:client (ELSA-2020-4670)
- 159661 Oracle Enterprise Linux Security Update for jquery-ui (ELSA-2022-9177)
- 159679 Oracle Enterprise Linux Security Update for pki-core:10.6 and pki-deps:10.6 (ELSA-2020-4847)
- 178505 Debian Security Update for jquery (DLA 2608-1)
- 20288 Oracle Database 19c Critical OJVM Patch Update - October 2020
- 20297 Oracle Database 18c Critical OJVM Patch Update - October 2020
- 20313 Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2020
- 241153 Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0554)
- 241154 Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0552)
- 241155 Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0553)
- 296073 Oracle Solaris 11.4 Support Repository Update (SRU) 24.75.2 Missing (CPUJUL2020)
- 375482 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2021)
- 375584 Dell NetWorker Security Update for Multiple Vulnerabilities (DSA-2020-262)
- 375630 HPE System Management Homepage Cross Site Scripting Vulnerabilitiy
- 377492 Alibaba Cloud Linux Security Update for ipa (ALINUX2-SA-2020:0169)
- 500875 Alpine Linux Security Update for drupal7
- 501529 Alpine Linux Security Update for cacti
- 504593 Alpine Linux Security Update for cacti
- 504699 Alpine Linux Security Update for drupal7
- 590764 Mitsubishi Electric EcoWebServerIII Multiple Vulnerabilities (ICSA-22-055-02)
- 590808 Mitsubishi Electric EcoWebServerIII Multiple Vulnerabilities (ICSA-22-055-02)
- 6000085 Debian Security Update for otrs2 (DLA 3551-1)
- 690483 Free Berkeley Software Distribution (FreeBSD) Security Update for cacti (cd2dc126-cfe4-11ea-9172-4c72b94353b5)
- 690498 Free Berkeley Software Distribution (FreeBSD) Security Update for gitlab (1fb13175-ed52-11ea-8b93-001b217b3468)
- 87467 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2021)
- 940071 AlmaLinux Security Update for idm:DL1 and idm:client (ALSA-2020:4670)
- 940348 AlmaLinux Security Update for pki-core:10.6 and pki-deps:10.6 (ALSA-2020:4847)
- 960340 Rocky Linux Security Update for idm:DL1 and idm:client (RLSA-2020:4670)
- 960454 Rocky Linux Security Update for pki-core:10.6 and pki-deps:10.6 (RLSA-2020:4847)
- 980083 Nodejs (npm) Security Update for jquery (GHSA-gxr4-xjj5-5px2)
- 995403 DotNet (Nuget) Security Update for jquery (GHSA-gxr4-xjj5-5px2)
- 995409 Rubygems (Rubygems) Security Update for jquery-rails (GHSA-gxr4-xjj5-5px2)
- 995461 Java (Maven) Security Update for org.webjars.npm:jquery (GHSA-gxr4-xjj5-5px2)