CVE-2020-11022

Name
CVE-2020-11022
Description
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mitigation https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
Release Notes https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Mitigation https://jquery.com/upgrade-guide/3.5/
Patch https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
Third Party Advisory https://security.netapp.com/advisory/ntap-20200511-0006/
Third Party Advisory https://www.drupal.org/sa-core-2020-002
Third Party Advisory https://www.debian.org/security/2020/dsa-4693
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
Third Party Advisory https://www.oracle.com/security-alerts/cpujul2020.html
Broken Link http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
Third Party Advisory https://security.gentoo.org/glsa/202007-03
Broken Link http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
Mailing List https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2020.html
Mailing List https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E
Broken Link http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
Mailing List https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E
Third Party Advisory https://www.tenable.com/security/tns-2020-10
Third Party Advisory https://www.tenable.com/security/tns-2020-11
Third Party Advisory https://www.oracle.com/security-alerts/cpujan2021.html
Mailing List https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E
Third Party Advisory https://www.tenable.com/security/tns-2021-02
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
Exploit http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
MLIST https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E
MLIST https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E
Mailing List https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E
CONFIRM https://www.tenable.com/security/tns-2021-10
MISC https://www.oracle.com/security-alerts/cpuApr2021.html
N/A https://www.oracle.com//security-alerts/cpujul2021.html
MISC https://www.oracle.com/security-alerts/cpuoct2021.html
MLIST https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* jquery >= 1.2 < 3.5.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status