Cyber Resilience

CVE-2020-11023

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 29 April 2020

Published
29 April 2020
Modified
07 November 2025
KEV Added
23 January 2025
Patch
CVSS Score v3.1 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.3410 97.1th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-11023 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Oracle Rest Data Services. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-11023 is a cross-site scripting vulnerability affecting jQuery versions from 1.0.3 up to but not including 3.5.0. It occurs when HTML containing <option> elements from untrusted sources is passed to DOM manipulation methods such as .html() or .append(), even if the input has been sanitized beforehand, allowing execution of untrusted code. The issue is tracked under CWE-79 and carries a CVSS 3.1 score of 6.9.

An attacker can supply crafted HTML containing <option> tags to an application that uses an affected jQuery version and feeds that input into the vulnerable DOM methods. Successful exploitation can result in execution of arbitrary script in the context of the affected page, potentially leading to theft of sensitive data or other actions within the victim's browser session.

The jQuery project released version 3.5.0 to address the flaw. Multiple openSUSE security advisories reference the update and recommend applying the patched jQuery release to resolve the exposure.

EU & UK References

Vulnerability details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute…

more

untrusted code. This problem is patched in jQuery 3.5.0.

CWE(s)
KEV Date Added
23 January 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jquery
jquery
1.0.3 — 3.5.0
debian
debian linux
9.0
fedoraproject
fedora
31, 32, 33
drupal
drupal
7.0 — 7.70 · 8.7.0 — 8.7.14 · 8.8.0 — 8.8.6
oracle
application express
≤ 20.2
oracle
application testing suite
13.3.0.1
oracle
banking enterprise collections
2.7.0 — 2.8.0
oracle
banking platform
2.4.0 — 2.10.0
oracle
blockchain platform
21.1.2 · ≤ 21.1.2
oracle
business intelligence
5.9.0.0.0
+42 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the jQuery 3.5.0 patch that eliminates the <option>-tag bypass in .html(), .append() and related DOM methods.

prevent

Mandates rigorous validation and sanitization of untrusted HTML before it reaches jQuery DOM manipulation APIs, closing the exact vector described in the CVE.

preventdetect

Requires integrity verification of the jQuery library and client-side scripts to ensure only patched, non-vulnerable versions are loaded.

References