CVE-2020-11023
Published: 29 April 2020
Summary
CVE-2020-11023 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Oracle Rest Data Services. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-11023 is a cross-site scripting vulnerability affecting jQuery versions from 1.0.3 up to but not including 3.5.0. It occurs when HTML containing <option> elements from untrusted sources is passed to DOM manipulation methods such as .html() or .append(), even if the input has been sanitized beforehand, allowing execution of untrusted code. The issue is tracked under CWE-79 and carries a CVSS 3.1 score of 6.9.
An attacker can supply crafted HTML containing <option> tags to an application that uses an affected jQuery version and feeds that input into the vulnerable DOM methods. Successful exploitation can result in execution of arbitrary script in the context of the affected page, potentially leading to theft of sensitive data or other actions within the victim's browser session.
The jQuery project released version 3.5.0 to address the flaw. Multiple openSUSE security advisories reference the update and recommend applying the patched jQuery release to resolve the exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-0387
Vulnerability details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute…
more
untrusted code. This problem is patched in jQuery 3.5.0.
- CWE(s)
- KEV Date Added
- 23 January 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the jQuery 3.5.0 patch that eliminates the <option>-tag bypass in .html(), .append() and related DOM methods.
Mandates rigorous validation and sanitization of untrusted HTML before it reaches jQuery DOM manipulation APIs, closing the exact vector described in the CVE.
Requires integrity verification of the jQuery library and client-side scripts to ensure only patched, non-vulnerable versions are loaded.