Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday placed a now-patched security flaw impacting the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be
Analysis Summary
# Vulnerability: Cross-Site Scripting (XSS) in jQuery via DOM Manipulation Methods
## CVE Details
- CVE ID: CVE-2020-11023
- CVSS Score: 6.1/6.9 (Medium)
- CWE: Cross-site Scripting (CWE is implied but not explicitly stated in the snippet beyond the description of the flaw)
## Affected Systems
- Products: jQuery JavaScript Library
- Versions: Versions prior to 3.5.0
- Configurations: When untrusted HTML containing elements is passed to jQuery's DOM manipulation methods like `.html()` or `.append()`.
## Vulnerability Description
The vulnerability is a Cross-Site Scripting (XSS) flaw affecting jQuery's DOM manipulation methods. It allows an attacker to execute arbitrary code if untrusted HTML content, even after sanitization, is passed to methods such as `.html()`, `.append()`, and others. This bypasses certain sanitization attempts, leading to script execution on client browsers.
## Exploitation
- Status: Active exploitation evidenced by inclusion in CISA's KEV catalog. PoC availability is not explicitly mentioned, but exploits are confirmed.
- Complexity: Not explicitly rated, but XSS flaws often have medium to low complexity if context allows for easy injection.
- Attack Vector: Network (via loading malicious content/pages).
## Impact
- Confidentiality: Likely High (due to script execution allowing session hijacking, data theft).
- Integrity: Likely High (due to script execution allowing arbitrary client-side modifications).
- Availability: Low to Medium (Depends on the subsequent action of the executed script).
## Remediation
### Patches
- jQuery version 3.5.0 (Released April 2020) and later versions.
### Workarounds
- Use the DOMPurify library with the `SAFE_FOR_JQUERY` flag set to sanitize the HTML string *before* passing it to any vulnerable jQuery DOM manipulation method.
## Detection
- Detection methods are not explicitly detailed, but indicators would involve monitoring HTTP traffic for unexpected scripts being injected into the DOM via jQuery methods, or looking for communication from associated C2 infrastructure if the flaw is leveraged in a broader attack chain (as noted in connection with Ivanti exploitation campaigns).
## References
- Vendor Advisory (jQuery): hxxps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
- GitHub Advisory: hxxps://github.com/advisories/GHSA-jpcq-cgw6-v4j6
- CISA KEV Listing: hxxps://www.cisa.gov/news-events/alerts/2025/01/23/cisa-adds-one-known-exploited-vulnerability-catalog
- Related CVEs mentioned: CVE-2020-11022, CVE-2019-11358