CVE-2020-11022

MEDIUM

Description

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77

https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2

https://jquery.com/upgrade-guide/3.5/

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/

https://lists.fedoraproject.org/archives/list/[email protected]/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/

https://security.gentoo.org/glsa/202007-03

https://security.netapp.com/advisory/ntap-20200511-0006/

https://www.debian.org/security/2020/dsa-4693

https://www.drupal.org/sa-core-2020-002

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.tenable.com/security/tns-2020-10

https://www.tenable.com/security/tns-2020-11

https://www.tenable.com/security/tns-2021-02

Details

Source: MITRE

Published: 2020-04-29

Updated: 2021-02-18

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from 8.0.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.6.0.0 to 8.1.0.0.0 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.9 (inclusive)

cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.9 (inclusive)

cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from 19.1.0 to 19.1.2 (inclusive)

cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from 5.0.0.0 to 5.6.0.0 (inclusive)

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from 12.2.0 to 12.2.20 (inclusive)

cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from 12.2.0 to 12.2.20 (inclusive)

cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from 3.0 to 3.1.3 (inclusive)

cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 8

AND

OR

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 9

AND

OR

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 10

AND

OR

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 11

AND

OR

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 12

AND

OR

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 13

AND

OR

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 14

AND

OR

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 15

AND

OR

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 16

OR

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

Tenable Plugins

View all (34 total)

IDNameProductFamilySeverity
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145873CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670)NessusCentOS Local Security Checks
medium
145244Oracle WebCenter Sites (Jan 2021 CPU)NessusWindows
medium
145224Oracle Application Testing Suite (Jan 2021 CPU)NessusMisc.
high
144584Tenable SecurityCenter < 5.17.0 Multiple Vulnerabilities (TNS-2020-11)NessusMisc.
medium
143080RHEL 7 : ipa (RHSA-2020:3936)NessusRed Hat Local Security Checks
medium
142840openSUSE Security Update : otrs (openSUSE-2020-1888)NessusSuSE Local Security Checks
medium
142435RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)NessusRed Hat Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
142146Oracle JDeveloper XSS (October 2020 CPU)NessusMisc.
medium
141974Amazon Linux 2 : ipa-client (ALAS-2020-1519)NessusAmazon Linux Local Security Checks
medium
141807Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)NessusMisc.
critical
141734Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141586CentOS 7 : ipa (CESA-2020:3936)NessusCentOS Local Security Checks
medium
140750RHEL 8 : Red Hat Virtualization (RHSA-2020:3807)NessusRed Hat Local Security Checks
medium
140557Fedora 31 : drupal7 (2020-fbb94073a1)NessusFedora Local Security Checks
medium
140545Fedora 32 : drupal7 (2020-0b32a59b54)NessusFedora Local Security Checks
medium
140234FreeBSD : Gitlab -- multiple vulnerabilities (1fb13175-ed52-11ea-8b93-001b217b3468)NessusFreeBSD Local Security Checks
medium
139112FreeBSD : Cacti -- multiple vulnerabilities (cd2dc126-cfe4-11ea-9172-4c72b94353b5)NessusFreeBSD Local Security Checks
medium
138985openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-1060)NessusSuSE Local Security Checks
medium
138926GLSA-202007-03 : Cacti: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
138526Oracle Primavera Gateway (Jul 2020 CPU)NessusCGI abuses
high
112485Joomla! 2.5.x < 3.9.19 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
137423Fedora 32 : drupal8 (2020-36d2db5f51)NessusFedora Local Security Checks
medium
137366Joomla 2.5.x < 3.9.19 Multiple Vulnerabilities (5812-joomla-3-9-19)NessusCGI abuses
medium
112438Drupal 7.x < 7.70 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112437Drupal 8.7.x < 8.7.14 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112430Drupal 8.8.x < 8.8.6 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
137104Fedora 32 : drupal7 (2020-11be4b36d4)NessusFedora Local Security Checks
medium
137064RHEL 7 / 8 : Red Hat OpenShift Service Mesh (RHSA-2020:2362)NessusRed Hat Local Security Checks
high
136976RHEL 7 : OpenShift Container Platform 3.11 (RHSA-2020:2217)NessusRed Hat Local Security Checks
medium
136932Debian DSA-4693-1 : drupal7 - security updateNessusDebian Local Security Checks
medium
136929JQuery 1.2 < 3.5.0 Multiple XSSNessusCGI abuses : XSS
medium
136745Drupal 7.0.x < 7.70 / 7.0.x < 7.70 / 8.7.x < 8.7.14 / 8.8.x < 8.8.6 Multiple Vulnerabilities (drupal-2020-05-20)NessusCGI abuses
medium