CVE-2020-11023

Confirmed PUBLISHED

Potential XSS vulnerability in jQuery

jquery · jQuery
Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
Confirmed
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
In CISA KEV
CVSS / EPSS
6.9 Medium

At a Glance

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

nessus_scanner cisa
CVE Published
Apr 29, 2020
Exploitation Reported
Jan 23, 2025
CVSS
6.9 Medium
EPSS
Remote Unauthenticated

Affected Versions

Vendor Product Version Status
jquery
jQuery

>= 1.0.3, < 3.5.0

Affected

CVE References

  • DSA-4693 debian.org · Vendor Advisory https://www.debian.org/security/2020/dsa-4693
  • FEDORA-2020-36d2db5f51 lists.fedoraproject.org · Vendor Advisory https://lists.fedoraproject.org/archives/list/package-announce%40list...
  • openSUSE-SU-2020:1060 lists.opensuse.org · Vendor Advisory http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067...
  • GLSA-202007-03 security.gentoo.org · Vendor Advisory https://security.gentoo.org/glsa/202007-03
  • openSUSE-SU-2020:1106 lists.opensuse.org · Vendor Advisory http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085...
Show 60 more references

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.