CVE-2020-11022

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
GitHub_MCNA
6.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
VendorProductVersion
jqueryjquery
1.2 ≤
𝑥
< 3.5.0
drupaldrupal
7.0 ≤
𝑥
< 7.70
drupaldrupal
8.7.0 ≤
𝑥
< 8.7.14
drupaldrupal
8.8.0 ≤
𝑥
< 8.8.6
debiandebian_linux
9.0
oracleagile_product_lifecycle_management_for_process
6.2.0.0
oracleapplication_testing_suite
13.3.0.1
oraclebanking_digital_experience
18.1
oraclebanking_digital_experience
18.2
oraclebanking_digital_experience
18.3
oraclebanking_digital_experience
19.1
oraclebanking_digital_experience
19.2
oraclebanking_digital_experience
20.1
oracleblockchain_platform
𝑥
< 21.1.2
oraclecommunications_application_session_controller
3.8m0:m0
oraclecommunications_billing_and_revenue_management
7.5.0.23.0
oraclecommunications_billing_and_revenue_management
12.0.0.3.0
oraclecommunications_diameter_signaling_router_idih\
8.0.0 ≤
𝑥
≤ 8.2.2
oraclecommunications_eagle_application_processor
16.1.0 ≤
𝑥
≤ 16.4.0
oraclecommunications_services_gatekeeper
7.0
oraclecommunications_webrtc_session_controller
7.2
oracleenterprise_manager_ops_center
12.4.0.0
oracleenterprise_session_border_controller
8.4
oraclefinancial_services_analytical_applications_infrastructure
8.0.6.0.0 ≤
𝑥
≤ 8.1.0.0.0
oraclefinancial_services_analytical_applications_reconciliation_framework
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_analytical_applications_reconciliation_framework
8.1.0
oraclefinancial_services_asset_liability_management
8.0.6
oraclefinancial_services_asset_liability_management
8.0.7
oraclefinancial_services_asset_liability_management
8.1.0
oraclefinancial_services_balance_sheet_planning
8.0.8
oraclefinancial_services_basel_regulatory_capital_basic
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_basel_regulatory_capital_basic
8.1.0
oraclefinancial_services_basel_regulatory_capital_internal_ratings_based_approach
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_basel_regulatory_capital_internal_ratings_based_approach
8.1.0
oraclefinancial_services_data_foundation
8.0.6 ≤
𝑥
≤ 8.1.0
oraclefinancial_services_data_governance_for_us_regulatory_reporting
8.0.6 ≤
𝑥
≤ 8.0.9
oraclefinancial_services_data_integration_hub
8.0.6
oraclefinancial_services_data_integration_hub
8.0.7
oraclefinancial_services_data_integration_hub
8.1.0
oraclefinancial_services_funds_transfer_pricing
8.0.6
oraclefinancial_services_funds_transfer_pricing
8.0.7
oraclefinancial_services_funds_transfer_pricing
8.1.0
oraclefinancial_services_hedge_management_and_ifrs_valuations
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_hedge_management_and_ifrs_valuations
8.1.0
oraclefinancial_services_institutional_performance_analytics
8.0.6
oraclefinancial_services_institutional_performance_analytics
8.0.7
oraclefinancial_services_institutional_performance_analytics
8.1.0
oraclefinancial_services_liquidity_risk_management
8.0.6
oraclefinancial_services_liquidity_risk_measurement_and_management
8.0.7
oraclefinancial_services_liquidity_risk_measurement_and_management
8.0.8
oraclefinancial_services_liquidity_risk_measurement_and_management
8.1.0
oraclefinancial_services_loan_loss_forecasting_and_provisioning
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_loan_loss_forecasting_and_provisioning
8.1.0
oraclefinancial_services_market_risk_measurement_and_management
8.0.6
oraclefinancial_services_market_risk_measurement_and_management
8.0.8
oraclefinancial_services_price_creation_and_discovery
8.0.6
oraclefinancial_services_price_creation_and_discovery
8.0.7
oraclefinancial_services_profitability_management
8.0.6
oraclefinancial_services_profitability_management
8.0.7
oraclefinancial_services_profitability_management
8.1.0
oraclefinancial_services_regulatory_reporting_for_european_banking_authority
8.0.6 ≤
𝑥
≤ 8.1.0
oraclefinancial_services_regulatory_reporting_for_us_federal_reserve
8.0.6 ≤
𝑥
≤ 8.0.9
oraclehealthcare_foundation
7.1.1
oraclehealthcare_foundation
7.2.0
oraclehealthcare_foundation
7.2.1
oraclehealthcare_foundation
7.3.0
oraclehospitality_materials_control
18.1
oraclehospitality_simphony
19.1.0 ≤
𝑥
≤ 19.1.2
oraclehospitality_simphony
18.1
oraclehospitality_simphony
18.2
oracleinsurance_accounting_analyzer
8.0.9
oracleinsurance_allocation_manager_for_enterprise_profitability
8.0.8
oracleinsurance_allocation_manager_for_enterprise_profitability
8.1.0
oracleinsurance_data_foundation
8.0.6 ≤
𝑥
≤ 8.1.0
oracleinsurance_insbridge_rating_and_underwriting
5.0.0.0 ≤
𝑥
≤ 5.6.0.0
oracleinsurance_insbridge_rating_and_underwriting
5.6.1.0
oraclejdeveloper
11.1.1.9.0
oraclejdeveloper
12.2.1.3.0
oraclejdeveloper
12.2.1.4.0
oraclepeoplesoft_enterprise_peopletools
8.56
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepolicy_automation
12.2.0 ≤
𝑥
≤ 12.2.20
oraclepolicy_automation_connector_for_siebel
10.4.6
oraclepolicy_automation_for_mobile_devices
12.2.0 ≤
𝑥
≤ 12.2.20
oracleretail_back_office
14.0
oracleretail_back_office
14.1
oracleretail_customer_management_and_segmentation_foundation
19.0
oracleretail_returns_management
14.0
oracleretail_returns_management
14.1
oraclesiebel_ui_framework
20.8
oraclestoragetek_acsls
8.5.1
oracleweblogic_server
10.3.6.0.0
oracleweblogic_server
12.1.3.0.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
netappmax_data
-
netapponcommand_insight
-
netapponcommand_system_manager
3.0 ≤
𝑥
≤ 3.1.3
netappsnap_creator_framework
-
netappsnapcenter
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph300e_firmware
-
netapph500e_firmware
-
netapph700e_firmware
-
netapph410s_firmware
-
netapph410c_firmware
-
opensuseleap
15.1
opensuseleap
15.2
tenablelog_correlation_engine
𝑥
< 6.0.9
oracleagile_product_supplier_collaboration_for_process
6.2.0.0
oraclebanking_digital_experience
18.1 ≤
𝑥
≤ 20.1
oraclecommunications_application_session_controller
3.8m0:m0
oraclecommunications_billing_and_revenue_management
7.5.0.23.0
oraclecommunications_billing_and_revenue_management
12.0.0.3.0
oraclecommunications_diameter_signaling_router_idih\
8.0.0 ≤
𝑥
≤ 8.2.2
oraclecommunications_webrtc_session_controller
7.2
oracleenterprise_manager_ops_center
12.4.0.0
oracleenterprise_session_border_controller
8.4
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.1.0
oraclefinancial_services_analytical_applications_reconciliation_framework
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_analytical_applications_reconciliation_framework
8.1.0
oraclefinancial_services_asset_liability_management
8.0.6
oraclefinancial_services_asset_liability_management
8.0.7
oraclefinancial_services_asset_liability_management
8.1.0
oraclefinancial_services_balance_sheet_planning
8.0.8
oraclefinancial_services_basel_regulatory_capital_basic
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_basel_regulatory_capital_basic
8.1.0
oraclefinancial_services_basel_regulatory_capital_internal_ratings_based_approach
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_basel_regulatory_capital_internal_ratings_based_approach
8.1.0
oraclefinancial_services_data_foundation
8.0.6 ≤
𝑥
≤ 8.1.0
oraclefinancial_services_data_governance_for_us_regulatory_reporting
8.0.6 ≤
𝑥
≤ 8.0.9
oraclefinancial_services_data_integration_hub
8.0.6
oraclefinancial_services_data_integration_hub
8.0.7
oraclefinancial_services_data_integration_hub
8.1.0
oraclefinancial_services_funds_transfer_pricing
8.0.6
oraclefinancial_services_funds_transfer_pricing
8.0.7
oraclefinancial_services_funds_transfer_pricing
8.1.0
oraclefinancial_services_hedge_management_and_ifrs_valuations
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_hedge_management_and_ifrs_valuations
8.1.0
oraclefinancial_services_institutional_performance_analytics
8.0.6
oraclefinancial_services_institutional_performance_analytics
8.0.7
oraclefinancial_services_institutional_performance_analytics
8.1.0
oraclefinancial_services_liquidity_risk_management
8.0.6
oraclefinancial_services_liquidity_risk_measurement_and_management
8.0.7
oraclefinancial_services_liquidity_risk_measurement_and_management
8.0.8
oraclefinancial_services_liquidity_risk_measurement_and_management
8.1.0
oraclefinancial_services_loan_loss_forecasting_and_provisioning
8.0.6 ≤
𝑥
≤ 8.0.8
oraclefinancial_services_loan_loss_forecasting_and_provisioning
8.1.0
oraclefinancial_services_market_risk_measurement_and_management
8.0.6
oraclefinancial_services_market_risk_measurement_and_management
8.0.8
oraclefinancial_services_price_creation_and_discovery
8.0.6
oraclefinancial_services_price_creation_and_discovery
8.0.7
oraclefinancial_services_profitability_management
8.0.6
oraclefinancial_services_profitability_management
8.0.7
oraclefinancial_services_profitability_management
8.1.0
oraclefinancial_services_regulatory_reporting_for_european_banking_authority
8.0.6 ≤
𝑥
≤ 8.1.0
oraclefinancial_services_regulatory_reporting_for_us_federal_reserve
8.0.6 ≤
𝑥
≤ 8.0.9
oraclehealthcare_foundation
7.1.1
oraclehealthcare_foundation
7.2.0
oraclehealthcare_foundation
7.2.1
oraclehealthcare_foundation
7.3.0
oraclehospitality_materials_control
18.1
oraclehospitality_simphony
18.1
oraclehospitality_simphony
18.2
oraclehospitality_simphony
19.1.0-19.1.2
oracleinsurance_accounting_analyzer
8.0.9
oracleinsurance_allocation_manager_for_enterprise_profitability
8.0.8
oracleinsurance_allocation_manager_for_enterprise_profitability
8.1.0
oracleinsurance_data_foundation
8.0.6-8.1.0
oracleinsurance_insbridge_rating_and_underwriting
5.0.0.0 ≤
𝑥
≤ 5.6.0.0
oracleinsurance_insbridge_rating_and_underwriting
5.6.1.0
oraclejdeveloper
11.1.1.9.0
oraclejdeveloper
12.2.1.3.0
oraclejdeveloper
12.2.1.4.0
oraclepeoplesoft_enterprise_peopletools
8.56
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepolicy_automation
12.2.0 ≤
𝑥
≤ 12.2.20
oraclepolicy_automation_connector_for_siebel
10.4.6
oraclepolicy_automation_for_mobile_devices
12.2.0 ≤
𝑥
≤ 12.2.20
oracleretail_back_office
14.0
oracleretail_back_office
14.1
oracleretail_customer_management_and_segmentation_foundation
19.0
oracleretail_returns_management
14.0
oracleretail_returns_management
14.1
oraclesiebel_ui_framework
20.8
oracleweblogic_server
10.3.6.0.0
oracleweblogic_server
12.1.3.0.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-jquery
bullseye
3.5.1+dfsg+~3.5.5-7
fixed
jessie
not-affected
buster
no-dsa
stretch
ignored
sid
3.6.1+dfsg+~3.5.14-1
fixed
trixie
3.6.1+dfsg+~3.5.14-1
fixed
bookworm
3.6.1+dfsg+~3.5.14-1
fixed
otrs2
bullseye/non-free
6.0.32-6
fixed
jessie
not-affected
buster
no-dsa
stretch
ignored
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
drupal7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
needs-triage
trusty
needs-triage
jquery
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
needs-triage
eoan
ignored
bionic
needs-triage
xenial
needs-triage
trusty
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
https://jquery.com/upgrade-guide/3.5/
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/
https://security.gentoo.org/glsa/202007-03
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2020-10
https://www.tenable.com/security/tns-2020-11
https://www.tenable.com/security/tns-2021-02
https://www.tenable.com/security/tns-2021-10
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
https://jquery.com/upgrade-guide/3.5/
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/
https://security.gentoo.org/glsa/202007-03
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2020-10
https://www.tenable.com/security/tns-2020-11
https://www.tenable.com/security/tns-2021-02
https://www.tenable.com/security/tns-2021-10