PT-2020-4421 · Jquery+12 · Jquery+12

Published

2020-04-29

·

Updated

2026-03-10

·

CVE-2020-11023

CVSS v3.1

6.9

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions: jQuery versions 1.0.3 through 3.4.1
Description: The issue arises from insufficient cleaning of user-provided data when passing HTML elements to jQuery's DOM manipulation methods, such as .html() and .append(). This can allow an attacker to execute untrusted code, enabling cross-site scripting (XSS) attacks. The problem is patched in jQuery 3.5.0. To protect against this exploit, users can update to jQuery 3.5.0 or use DOMPurify for safer HTML handling. Agencies are urged to remediate by February 13, 2025.
Recommendations: For jQuery versions 1.0.3 through 3.4.1, update to jQuery 3.5.0 to fix the issue. As a temporary workaround, consider using DOMPurify with its SAFE FOR JQUERY option to sanitize the HTML string before passing it to a jQuery method. Restrict access to the vulnerable DOM manipulation methods, such as .html() and .append(), to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2021:1846
ALSA-2021:4142
ALSA-2025:1210
ALSA-2025:1215
ALSA-2025:1300
ALSA-2025:1301
ALSA-2025:1306
ALSA-2025:1309
ALSA-2025:1314
ALSA-2025:1329
ALSA-2025:1338
ALSA-2025:1346
ALSA-2025_1210
ALSA-2025_1215
ALSA-2025_1300
ALSA-2025_1301
ALSA-2025_1306
ALSA-2025_1309
ALSA-2025_1314
ALSA-2025_1329
ALSA-2025_1338
ALSA-2025_1346
ALSA-2025_16880
ALT-PU-2020-3078
ALT-PU-2020-3096
BDU:2020-04949
BIT-DRUPAL-2020-11023
CESA-2020_4847
CESA-2021_0851
CESA-2021_1846
CESA-2021_4142
CESA-2025_1215
CESA-2025_1301
CESA-2025_1306
CESA-2025_1314
CESA-2025_1338
CVE-2020-11023
DLA-2608-1
DLA-3551-1
DSA-4693-1
GHSA-JPCQ-CGW6-V4J6
INFSA-2025_1210
INFSA-2025_1215
INFSA-2025_1300
INFSA-2025_1301
INFSA-2025_1306
INFSA-2025_1309
INFSA-2025_1314
INFSA-2025_1329
INFSA-2025_1338
INFSA-2025_1346
OPENSUSE-SU-2020:1060-1
OPENSUSE-SU-2020:1106-1
OPENSUSE-SU-2020:1888-1
OPENSUSE-SU-2020_1060-1
OPENSUSE-SU-2020_1888-1
RHSA-2020:3247
RHSA-2020:3369
RHSA-2020:3807
RHSA-2020:4211
RHSA-2020:4847
RHSA-2020:5412
RHSA-2020_4847
RHSA-2021:0851
RHSA-2021:0860
RHSA-2021:1846
RHSA-2021:4142
RHSA-2021_0851
RHSA-2021_0860
RHSA-2021_1846
RHSA-2021_4142
RHSA-2022:6393
RHSA-2022:7343
RHSA-2022_7343
RHSA-2023:0552
RHSA-2023:0553
RHSA-2023:0554
RHSA-2023:1043
RHSA-2023:1044
RHSA-2023:1045
RHSA-2025:1070
RHSA-2025:1185
RHSA-2025:1209
RHSA-2025:1210
RHSA-2025:1211
RHSA-2025:1212
RHSA-2025:1213
RHSA-2025:1214
RHSA-2025:1215
RHSA-2025:1216
RHSA-2025:1217
RHSA-2025:1247
RHSA-2025:1255
RHSA-2025:1256
RHSA-2025:1300
RHSA-2025:1301
RHSA-2025:1303
RHSA-2025:1304
RHSA-2025:1305
RHSA-2025:1306
RHSA-2025:1308
RHSA-2025:1309
RHSA-2025:1310
RHSA-2025:1311
RHSA-2025:1312
RHSA-2025:1314
RHSA-2025:1315
RHSA-2025:1329
RHSA-2025:1338
RHSA-2025:1342
RHSA-2025:1346
RHSA-2025:1514
RHSA-2025:1515
RHSA-2025:1580
RHSA-2025:1601
RHSA-2025:2426
RHSA-2025_1210
RHSA-2025_1215
RHSA-2025_1300
RHSA-2025_1301
RHSA-2025_1306
RHSA-2025_1309
RHSA-2025_1314
RHSA-2025_1329
RHSA-2025_1338
RHSA-2025_1346
RLSA-2020:4847
RLSA-2021:1846
RLSA-2021:4142
RLSA-2025:1210
RLSA-2025:1215
RLSA-2025:1300
RLSA-2025:1301
RLSA-2025:1306
RLSA-2025:1309
RLSA-2025:1314
RLSA-2025:1329
RLSA-2025:1338
RLSA-2025:1346
ROSA-SA-2025-2760
USN-7246-1
USN-7622-1
USN-7658-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Jira
Linuxmint
Oracle Weblogic Server
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Jquery