CVE-2020-11023

Description

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

How to fix CVE-2020-11023

To remediate CVE-2020-11023, upgrade the affected package to a fixed version below.

• —upgrade to 7.70.0 or later
• —upgrade to 3.5.0+dfsg-2 or later
• —upgrade to 6.0.30-1 or later
• —upgrade to 3.5.0 or later
• —upgrade to 3.5.0 or later
• —upgrade to 3.5.0 or later
• —upgrade to 3.5.0 or later
• —upgrade to 4.4.0 or later

Is CVE-2020-11023 being exploited?

Yes — CVE-2020-11023 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (8)

• >= 7.0.0, < 7.70.0, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.6
• from 0, < 3.5.0+dfsg-2
• from 0, < 6.0.30-1
• >= 1.0.3, < 3.5.0
• >= 1.0.3, < 3.5.0
• >= 1.0.3, < 3.5.0
• >= 1.0.3, < 3.5.0
• from 0, < 4.4.0

CVSS scores

References (128)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11023
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-11023
• PATCHgithub.com/jquery/jquery
• WEBlists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html