CVE-2020-11022

MEDIUM

Published 2020-04-29T00:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2020-11022. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

6.9

/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.026

probability

of exploitation in the wild

There is a 2.6% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.850

Higher than 85.0% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Impact Metrics

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Description

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

jquery

jQuery

Affected Versions:

>= 1.2, < 3.5.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Potential XSS vulnerability in jQuery

GHSA-gxr4-xjj5-5px2

Advisory Details

### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.

Affected Packages

npm jquery

ECOSYSTEM: ≥1.2.0 <3.5.0

NuGet jquery

ECOSYSTEM: ≥1.2.0 <3.5.0

RubyGems jquery-rails

ECOSYSTEM: ≥0 <4.4.0

Maven org.webjars.npm:jquery

ECOSYSTEM: ≥1.2.0 <3.5.0

Packagist maximebf/debugbar

ECOSYSTEM: ≥0 <1.19.0

Packagist athlon1600/youtube-downloader

ECOSYSTEM: ≥0 ≤4.0.0

Packagist components/jquery

ECOSYSTEM: ≥1.2.0 <3.5.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

WEB https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-11022

WEB https://github.com/maximebf/php-debugbar/issues/447

WEB https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77

WEB https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc

WEB https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W

WEB https://security.gentoo.org/glsa/202007-03

WEB https://security.netapp.com/advisory/ntap-20200511-0006

WEB https://www.debian.org/security/2020/dsa-4693

WEB https://www.drupal.org/sa-core-2020-002

WEB https://www.npmjs.com/advisories/1518

WEB https://www.oracle.com//security-alerts/cpujul2021.html

WEB https://www.oracle.com/security-alerts/cpuApr2021.html

WEB https://www.oracle.com/security-alerts/cpuapr2022.html

WEB https://www.oracle.com/security-alerts/cpujan2021.html

WEB https://www.oracle.com/security-alerts/cpujan2022.html

WEB https://www.oracle.com/security-alerts/cpujul2020.html

WEB https://www.oracle.com/security-alerts/cpujul2022.html

WEB https://www.oracle.com/security-alerts/cpuoct2020.html

WEB https://www.oracle.com/security-alerts/cpuoct2021.html

WEB https://www.tenable.com/security/tns-2020-10

WEB https://www.tenable.com/security/tns-2020-11

WEB https://www.tenable.com/security/tns-2021-02

WEB https://www.tenable.com/security/tns-2021-10

ADVISORY https://github.com/advisories/GHSA-gxr4-xjj5-5px2

PACKAGE https://github.com/jquery/jquery

WEB https://github.com/jquery/jquery/releases/tag/3.5.0

WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml

WEB https://jquery.com/upgrade-guide/3.5

WEB https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E

WEB https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E

WEB https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E

WEB https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html

WEB https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4

WEB http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

WEB http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

WEB http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html

WEB http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html

Advisory provided by GitHub Security Advisory Database. Published: April 29, 2020, Modified: January 31, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post

Reddit • 2 months, 4 weeks ago

_cybersecurity_

New Cybersecurity Vulnerability in Hitachi Energy's MSM Could Put Critical Infrastructure at Risk **A serious cross-site scripting vulnerability has been identified in Hitachi Energy's Modular Switchgear Monitoring system, potentially allowing remote attackers to execute untrusted code.** **Key Points:** - Vulnerability involves improper neutralization of input during web page generation. - …

3.0

View Original