CVE-2020-11022 · threatengine.sh

Home/CVE/In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one

CVE

CVE-2020-11022

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

MEDIUM · CVSS 6.9 EPSS 0.02456

Schedule remediation

Public exploit or PoC is available

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

▤

Affected Products & Versions

40

jquery>= 1.2 and < 3.5.0
drupal>= 7.0 and < 7.70
drupal>= 8.7.0 and < 8.7.14
drupal>= 8.8.0 and < 8.8.6
debian linuxall versions
fedoraproject fedoraall versions
oracle agile product lifecycle management for processall versions
oracle application testing suiteall versions
Show all 40 affected productsoracle banking digital experienceall versions
oracle blockchain platform< 21.1.2
oracle communications application session controllerall versions
oracle communications billing and revenue managementall versions
oracle communications diameter signaling router idih\>= 8.0.0 and <= 8.2.2
oracle communications eagle application processor>= 16.1.0 and <= 16.4.0
oracle communications services gatekeeperall versions
oracle communications webrtc session controllerall versions
oracle enterprise manager ops centerall versions
oracle enterprise session border controllerall versions
oracle financial services analytical applications infrastructure>= 8.0.6.0.0 and <= 8.1.0.0.0
oracle financial services analytical applications reconciliation framework>= 8.0.6 and <= 8.0.8
oracle financial services analytical applications reconciliation frameworkall versions
oracle financial services asset liability managementall versions
oracle financial services balance sheet planningall versions
oracle financial services basel regulatory capital basic>= 8.0.6 and <= 8.0.8
oracle financial services basel regulatory capital basicall versions
oracle financial services basel regulatory capital internal ratings based approach>= 8.0.6 and <= 8.0.8
oracle financial services basel regulatory capital internal ratings based approachall versions
oracle financial services data foundation>= 8.0.6 and <= 8.1.0
oracle financial services data governance for us regulatory reporting>= 8.0.6 and <= 8.0.9
oracle financial services data integration huball versions
oracle financial services funds transfer pricingall versions
oracle financial services hedge management and ifrs valuations>= 8.0.6 and <= 8.0.8
oracle financial services hedge management and ifrs valuationsall versions
oracle financial services institutional performance analyticsall versions
oracle financial services liquidity risk managementall versions
oracle financial services liquidity risk measurement and managementall versions
oracle financial services loan loss forecasting and provisioning>= 8.0.6 and <= 8.0.8
oracle financial services loan loss forecasting and provisioningall versions
oracle financial services market risk measurement and managementall versions
oracle financial services price creation and discoveryall versions

▤

Affected Packages

7

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven org.webjars.npm:jquery MODERATE fixed in 3.5.0

NuGet jquery MODERATE fixed in 3.5.0

Packagist athlon1600/youtube-downloader MODERATE

Packagist components/jquery MODERATE fixed in 3.5.0

Packagist maximebf/debugbar MODERATE fixed in 1.19.0

RubyGems jquery-rails MODERATE fixed in 4.4.0

npm jquery MODERATE fixed in 3.5.0

⚠

Public Exploits & PoCs

3

webappsjQuery 1.2 - Cross-Site Scripting (XSS)2021-04-14
pocpacketstormsecurity.com · jQuery-1.2-Cross-Site-Scripting.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · jQuery-1.2-Cross-Site-Scripting.htmlpacketstormsecurity.com

▣

Scoring & Timeline

6.9

MEDIUM · CVSS v3.1 · security-advisories@github.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD29 Apr 2020 · 10:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

⚑

Vendor Advisories

30

suse-csafopenSUSE-SU-2026:10764-1
usnUSN-7658-1
usnUSN-7622-1
usnUSN-7246-1
suse-csafopenSUSE-SU-2024:10670-1
Show all 30 vendor advisoriessuse-csafopenSUSE-SU-2024:12107-1
rhsaRHSA-2023:1049Moderate
rhsaRHSA-2023:1044Important
rhsaRHSA-2023:1045Important
rhsaRHSA-2023:1043Important
rhsaRHSA-2023:1047Important
rhsaRHSA-2023:0556Moderate
rhsaRHSA-2023:0553Moderate
rhsaRHSA-2023:0554Moderate
rhsaRHSA-2023:0552Moderate
rhsaRHSA-2022:6393Important
rhsaRHSA-2020:4847Important
rhsaRHSA-2021:0778Important
suse-csafopenSUSE-SU-2020:1888-1
rhsaRHSA-2020:5249Moderate
suse-csafSUSE-SU-2020:2650-1
suse-csafSUSE-SU-2020:2373-1
suse-csafSUSE-SU-2020:2292-1
rhsaRHSA-2020:3807Moderate
rhsaRHSA-2020:3247Moderate
rhsaRHSA-2020:4298Low
suse-csafopenSUSE-SU-2020:1106-1
suse-csafopenSUSE-SU-2020:1060-1
rhsaRHSA-2020:2412Moderate
rhsaRHSA-2020:2813Low

🔗

References & Sources

69

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://security.netapp.com/advisory/ntap-20200511-0006

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77PatchThird Party Advisory

https://github.com/jquery/jquery/releases/tag/3.5.0

https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2MitigationThird Party Advisory

https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc

Show all 69 references

https://github.com/maximebf/php-debugbar/issues/447

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml

https://jquery.com/upgrade-guide/3.5

https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E

https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/03/msg00033.htmlMailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W

https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html

https://security.gentoo.org/glsa/202007-03Third Party Advisory

https://www.debian.org/security/2020/dsa-4693Third Party Advisory

https://www.drupal.org/sa-core-2020-002Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory

https://www.tenable.com/security/tns-2020-10Third Party Advisory

https://www.tenable.com/security/tns-2020-11Third Party Advisory

https://www.tenable.com/security/tns-2021-02Third Party Advisory

https://www.tenable.com/security/tns-2021-10Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlBroken Link

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlBroken Link

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.htmlBroken Link

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/Release NotesVendor Advisory

https://jquery.com/upgrade-guide/3.5/MitigationVendor Advisory

https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3Ccommits.airflow.apache.org%3E

https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/

https://security.netapp.com/advisory/ntap-20200511-0006/Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin