CVE-2020-11022

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

References

https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

https://jquery.com/upgrade-guide/3.5/

https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77

https://security.netapp.com/advisory/ntap-20200511-0006/

https://www.drupal.org/sa-core-2020-002

https://www.debian.org/security/2020/dsa-4693

https://lists.fedoraproject.org/archives/list/[email protected]/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/

https://lists.fedoraproject.org/archives/list/[email protected]/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/

https://www.oracle.com/security-alerts/cpujul2020.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

https://security.gentoo.org/glsa/202007-03

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://www.tenable.com/security/tns-2020-10

https://www.tenable.com/security/tns-2020-11

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://www.tenable.com/security/tns-2021-02

https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html

http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://www.tenable.com/security/tns-2021-10

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2020-04-29

Updated: 2021-07-20

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.6.0.0 to 8.1.0.0.0 (inclusive)

cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.9 (inclusive)

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from 8.0.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from 19.1.0 to 19.1.2 (inclusive)

cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from 12.2.0 to 12.2.20 (inclusive)

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from 5.0.0.0 to 5.6.0.0 (inclusive)

cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.9 (inclusive)

cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from 12.2.0 to 12.2.20 (inclusive)

cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from 3.0 to 3.1.3 (inclusive)

cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 7

AND

OR

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 8

AND

OR

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 9

AND

OR

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 10

AND

OR

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 11

AND

OR

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 12

AND

OR

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 13

AND

OR

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 14

AND

OR

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 15

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Tenable Plugins

View all (45 total)

IDNameProductFamilySeverity
152985Tenable SecurityCenter < 5.19.0 Multiple XSS Vulnerabilities (TNS-2021-14)NessusMisc.
medium
152772Oracle Enterprise Manager Ops Center (Oct 2020 CPU)NessusMisc.
critical
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
150139Tenable Log Correlation Engine (LCE) < 6.0.9 (TNS-2021-10)NessusMisc.
medium
148980Oracle Business Intelligence Publisher Multiple Vulnerabilities (Apr 2021 CPU)NessusMisc.
critical
148918Oracle Primavera Unifier (Apr 2021 CPU)NessusCGI abuses
medium
148894Oracle Database Server Multiple Vulnerabilities (Apr 2021 CPU)NessusDatabases
medium
148146Debian DLA-2608-1 : jquery security updateNessusDebian Local Security Checks
medium
147729Nessus Network Monitor < 5.13.0 Multiple Vulnerabilities (TNS-2021-02)NessusMisc.
medium
147251NewStart CGSL CORE 5.04 / MAIN 5.04 : ipa Multiple Vulnerabilities (NS-SA-2021-0045)NessusNewStart CGSL Local Security Checks
medium
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145873CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670)NessusCentOS Local Security Checks
medium
145244Oracle WebCenter Sites (Jan 2021 CPU)NessusWindows
medium
145224Oracle Application Testing Suite (Jan 2021 CPU)NessusMisc.
critical
144584Tenable SecurityCenter < 5.17.0 Multiple Vulnerabilities (TNS-2020-11)NessusMisc.
high
143080RHEL 7 : ipa (RHSA-2020:3936)NessusRed Hat Local Security Checks
medium
142840openSUSE Security Update : otrs (openSUSE-2020-1888)NessusSuSE Local Security Checks
medium
142435RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)NessusRed Hat Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
142146Oracle JDeveloper XSS (October 2020 CPU)NessusMisc.
medium
141974Amazon Linux 2 : ipa-client (ALAS-2020-1519)NessusAmazon Linux Local Security Checks
medium
141807Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)NessusMisc.
critical
141734Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141586CentOS 7 : ipa (CESA-2020:3936)NessusCentOS Local Security Checks
medium
140750RHEL 8 : Red Hat Virtualization (RHSA-2020:3807)NessusRed Hat Local Security Checks
high
140557Fedora 31 : drupal7 (2020-fbb94073a1)NessusFedora Local Security Checks
high
140545Fedora 32 : drupal7 (2020-0b32a59b54)NessusFedora Local Security Checks
high
140234FreeBSD : Gitlab -- multiple vulnerabilities (1fb13175-ed52-11ea-8b93-001b217b3468)NessusFreeBSD Local Security Checks
high
139112FreeBSD : Cacti -- multiple vulnerabilities (cd2dc126-cfe4-11ea-9172-4c72b94353b5)NessusFreeBSD Local Security Checks
high
138985openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-1060)NessusSuSE Local Security Checks
high
138926GLSA-202007-03 : Cacti: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
138526Oracle Primavera Gateway (Jul 2020 CPU)NessusCGI abuses
critical
112485Joomla! 2.5.x < 3.9.19 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
137423Fedora 32 : drupal8 (2020-36d2db5f51)NessusFedora Local Security Checks
medium
137366Joomla 2.5.x < 3.9.19 Multiple Vulnerabilities (5812-joomla-3-9-19)NessusCGI abuses
high
112438Drupal 7.x < 7.70 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112437Drupal 8.7.x < 8.7.14 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112430Drupal 8.8.x < 8.8.6 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
137104Fedora 32 : drupal7 (2020-11be4b36d4)NessusFedora Local Security Checks
medium
137064RHEL 7 / 8 : Red Hat OpenShift Service Mesh (RHSA-2020:2362)NessusRed Hat Local Security Checks
medium
136976RHEL 7 : OpenShift Container Platform 3.11 (RHSA-2020:2217)NessusRed Hat Local Security Checks
medium
136932Debian DSA-4693-1 : drupal7 - security updateNessusDebian Local Security Checks
medium
136929JQuery 1.2 < 3.5.0 Multiple XSSNessusCGI abuses : XSS
medium
136745Drupal 7.0.x < 7.70 / 7.0.x < 7.70 / 8.7.x < 8.7.14 / 8.8.x < 8.8.6 Multiple Vulnerabilities (drupal-2020-05-20)NessusCGI abuses
medium
112383jQuery 1.2.0 < 3.5.0 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium