CVE-2020-11023

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

References

https://jquery.com/upgrade-guide/3.5/

https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

https://security.netapp.com/advisory/ntap-20200511-0006/

https://www.drupal.org/sa-core-2020-002

https://www.debian.org/security/2020/dsa-4693

https://lists.fedoraproject.org/archives/list/[email protected]/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/

https://www.oracle.com/security-alerts/cpujul2020.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

https://security.gentoo.org/glsa/202007-03

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

https://lists.apache.org/thread.html/[email protected]%3Cgitbox.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cgitbox.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cgitbox.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cgitbox.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cgitbox.hive.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/

https://lists.apache.org/thread.html/[email protected]%3Ccommits.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cgitbox.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/

https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.felix.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.felix.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342[email protected]%3Cissues.flink.apache.org%3E

https://www.tenable.com/security/tns-2021-02

https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html

http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://www.tenable.com/security/tns-2021-10

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2020-04-29

Updated: 2021-10-20

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from 2.7.0 to 2.8.0 (inclusive)

cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from 2.4.0 to 2.10.0 (inclusive)

cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from 6.1 to 6.4 (inclusive)

cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from 4.1 to 4.3 (inclusive)

cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 16.2 to 16.2.11 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.12.0 to 17.12.7 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 18.8.0 to 18.8.9 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 19.12.0 to 19.12.4 (inclusive)

cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*

cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*

cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*

cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*

cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*

cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to 20.12 (inclusive)

cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Configuration 6

AND

OR

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 7

AND

OR

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 8

AND

OR

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 9

AND

OR

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 10

AND

OR

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 11

AND

OR

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 12

AND

OR

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 13

AND

OR

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 14

OR

cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from 3.0 to 3.1.3 (inclusive)

cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*

Tenable Plugins

View all (35 total)

IDNameProductFamilySeverity
152744Oracle Linux 7 : bootstrap (ELSA-2021-9400)NessusOracle Linux Local Security Checks
medium
150139Tenable Log Correlation Engine (LCE) < 6.0.9 (TNS-2021-10)NessusMisc.
medium
149756CentOS 8 : idm:DL1 and idm:client (CESA-2021:1846)NessusCentOS Local Security Checks
medium
149672RHEL 8 : idm:DL1 and idm:client (RHSA-2021:1846)NessusRed Hat Local Security Checks
medium
148921Amazon Linux 2 : ipa (ALAS-2021-1626)NessusAmazon Linux Local Security Checks
medium
148918Oracle Primavera Unifier (Apr 2021 CPU)NessusCGI abuses
medium
148894Oracle Database Server Multiple Vulnerabilities (Apr 2021 CPU)NessusDatabases
medium
148146Debian DLA-2608-1 : jquery security updateNessusDebian Local Security Checks
medium
147888Oracle Linux 7 : ipa (ELSA-2021-0860)NessusOracle Linux Local Security Checks
medium
147836RHEL 7 : ipa (RHSA-2021:0860)NessusRed Hat Local Security Checks
medium
147729Nessus Network Monitor < 5.13.0 Multiple Vulnerabilities (TNS-2021-02)NessusMisc.
medium
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145244Oracle WebCenter Sites (Jan 2021 CPU)NessusWindows
medium
144399RHEL 8 : python-XStatic-jQuery224 (RHSA-2020:5412)NessusRed Hat Local Security Checks
medium
142840openSUSE Security Update : otrs (openSUSE-2020-1888)NessusSuSE Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
141829Oracle Database Server Multiple Vulnerabilities (Oct 2020 CPU)NessusDatabases
critical
140750RHEL 8 : Red Hat Virtualization (RHSA-2020:3807)NessusRed Hat Local Security Checks
high
140557Fedora 31 : drupal7 (2020-fbb94073a1)NessusFedora Local Security Checks
high
140545Fedora 32 : drupal7 (2020-0b32a59b54)NessusFedora Local Security Checks
high
139385RHEL 7 / 8 : Red Hat OpenShift Service Mesh (RHSA-2020:3369)NessusRed Hat Local Security Checks
high
139112FreeBSD : Cacti -- multiple vulnerabilities (cd2dc126-cfe4-11ea-9172-4c72b94353b5)NessusFreeBSD Local Security Checks
high
138985openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-1060)NessusSuSE Local Security Checks
high
138926GLSA-202007-03 : Cacti: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
138526Oracle Primavera Gateway (Jul 2020 CPU)NessusCGI abuses
critical
112485Joomla! 2.5.x < 3.9.19 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
137423Fedora 32 : drupal8 (2020-36d2db5f51)NessusFedora Local Security Checks
medium
137366Joomla 2.5.x < 3.9.19 Multiple Vulnerabilities (5812-joomla-3-9-19)NessusCGI abuses
high
112438Drupal 7.x < 7.70 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112437Drupal 8.7.x < 8.7.14 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112430Drupal 8.8.x < 8.8.6 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
136932Debian DSA-4693-1 : drupal7 - security updateNessusDebian Local Security Checks
medium
136929JQuery 1.2 < 3.5.0 Multiple XSSNessusCGI abuses : XSS
medium
136745Drupal 7.0.x < 7.70 / 7.0.x < 7.70 / 8.7.x < 8.7.14 / 8.8.x < 8.8.6 Multiple Vulnerabilities (drupal-2020-05-20)NessusCGI abuses
medium
112383jQuery 1.2.0 < 3.5.0 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium