By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-11023

Cross-Site Scripting
Affects
jQuery
in
jQuery
No items found.
Versions
>=1.0.3 <3.5.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Steps to Reproduce

This Medium level exploit (CVE-2020-11023) is related to CVE-2020-11022; it can be found in jQuery versions greater than or equal to 1.0.3 and before 3.5.0. Instead of being concerned with general HTML (which CVE-2020-11022 handles), this problem may occur when passing HTML containing <option> elements, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). With a specially-crafted input, even after sanitizing it, these methods may execute untrusted code.

Addressing the Issue

Clients should update to jQuery v3.5.0 immediately after thorough testing. Extensive testing is required because the normalization logic in the jQuery.htmlPrefilter() method changed in v3.5.0 and there are edge cases in which the normalization functionality may produce unexpected results. If the old behavior is absolutely required, the jQuery 3.5.0 Release blog describes a way to use the old logic in a safe way.

Learning and Prevention

Sanitizing untrusted data before using or storing it is a security best practice for good reason: it is a common vector for breaking code. In this case, the normalization logic used in jQuery manipulation methods has an the error that specifically affects <option> elements even in sanitized HTML data.

If you are going to use untrusted data, the jQuery team recommends using the DOMPurify library for sanitization and to be sure to use the SAFE_FOR_JQUERY option. DOMPurify is a very popular, highly configurable library specifically designed to help prevent Cross-Site Scripting (XSS) exploits.

Conclusion

To provide the most secure possible JavaScript libraries for their sites, HeroDevs NES clients receive versions of jQuery with this and all other relevant CVEs fixed.

This fix directly corrects the potential security hole described by CVE-2020-11023. To stay apprised of security updates like these, contact us today to become a customer.

Resources

Pink arrow
Pink arrow
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
CVE-2020-7656
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-11023
PROJECT Affected
jQuery
Versions Affected
>=1.0.3 <3.5.0
Published date
April 29, 2020
≈ Fix date
February 1, 2023
Fixed in
jQuery NES
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
jQuery NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.