IRONSMITHINTEL
MEDIUMCVSS6.9
|
Actively Exploited
|CISA KEV|CVE-2020-11023|Auth: none — unauthenticated|Reboot: required|Manual only

JQuery Cross-Site Scripting (XSS) Vulnerability

JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.

Published Apr 29, 2020 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, partial data tampering. Federal agencies are required to remediate by 2025-02-13 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Cross-Site Scripting (XSS) (CWE-79) vulnerability in JQuery JQuery. In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Exploitation requires remote network access, higher attack complexity, no authentication required, and user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running jquery: 1.0.3 ≤ v < 3.5.0; debian linux: 9.0; fedora: 31, 32, 33; drupal: 7.0 ≤ v < 7.70, 8.7.0 ≤ v < 8.7.14, 8.8.0 ≤ v < 8.8.6; application express: v < 20.2; application testing suite: 13.3.0.1; banking enterprise collections: 2.7.0 ≤ v ≤ 2.8.0; banking platform: 2.4.0 ≤ v ≤ 2.10.0; blockchain platform: v < 21.1.2, 21.1.2; business intelligence: 5.9.0.0.0; communications analytics: 12.1.1; communications eagle application processor: 16.1.0 ≤ v ≤ 16.4.0; communications element manager: 8.1.1, 8.2.0, 8.2.1; communications interactive session recorder: 6.1 ≤ v ≤ 6.4; communications operations monitor: 4.1 ≤ v ≤ 4.3, 3.4; communications services gatekeeper: 7.0; communications session report manager: 8.1.1, 8.2.0, 8.2.1; communications session route manager: 8.1.1, 8.2.0, 8.2.1; financial services regulatory reporting for de nederlandsche bank: 8.0.4; financial services revenue management and billing analytics: 2.7, 2.8; health sciences inform: 6.3.0; healthcare translational research: 3.2.1, 3.3.1, 3.3.2, 3.4.0; hyperion financial reporting: 11.1.2.4; jd edwards enterpriseone orchestrator: v < 9.2.5.0; jd edwards enterpriseone tools: v < 9.2.5.0; oss support tools: v < 2.12.41; peoplesoft enterprise human capital management resources: 9.2; primavera gateway: 16.2 ≤ v ≤ 16.2.11, 17.12.0 ≤ v ≤ 17.12.7, 18.8.0 ≤ v ≤ 18.8.9, 19.12.0 ≤ v ≤ 19.12.4; rest data services: 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; siebel mobile: v ≤ 20.12; storagetek acsls: 8.5.1; storagetek tape analytics sw tool: 2.3.1; webcenter sites: 12.2.1.3.0, 12.2.1.4.0; weblogic server: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0; h300s firmware: -; h500s firmware: -; h700s firmware: -; h300e firmware: -; h500e firmware: -; h700e firmware: -; h410s firmware: -; h410c firmware: -; active iq unified manager: -; cloud backup: -; cloud insights storage workload security agent: -; hci baseboard management controller: -; max data: -; oncommand insight: -; oncommand system manager: 3.0 ≤ v ≤ 3.1.3; snap creator framework: -; snapcenter server: -; log correlation engine: v < 6.0.9
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

    1
    Vendor advisory: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-11023
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2020-11023NVDVendor Advisory