CVE-2020-11022

Description

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

How to fix CVE-2020-11022

To remediate CVE-2020-11022, upgrade the affected package to a fixed version below.

• Bitnami/drupal—upgrade to 7.70.0 or later
• —upgrade to 7.52-2+deb9u10 or later
• —upgrade to 3.1.1-2+deb9u2 or later
• —upgrade to 3.5.0+dfsg-2 or later
• —upgrade to 6.0.30-1 or later
• —upgrade to 3.5.0 or later
• —upgrade to 3.5.0 or later
• —upgrade to 3.5.0 or later
• —no fix listed
• —upgrade to 3.5.0 or later
• —upgrade to 1.19.0 or later
• —upgrade to 4.4.0 or later

Is CVE-2020-11022 being exploited?

Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.

Affected packages (12)

• >= 7.0.0, < 7.70.0, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.6
• from 0, < 7.52-2+deb9u10
• from 0, < 3.1.1-2+deb9u2
• from 0, < 3.5.0+dfsg-2
• from 0, < 6.0.30-1
• >= 1.12.0, < 3.5.0
• >= 1.12.0, < 3.5.0
• >= 1.12.0, < 3.5.0
• from 0, <= 4.0.0
• >= 1.12.0, < 3.5.0

CVSS scores

References (74)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11022
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-11022
• PATCHgithub.com/jquery/jquery
• WEBlists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html