The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday placed a now-patched security flaw impacting the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution.
“Passing HTML containing <option> elements from untrusted sources – even after sanitizing them – to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code,” according to a GitHub advisory released for the flaw.
The problem was addressed in jQuery version 3.5.0 released in April 2020. A workaround for CVE-2020-11023 involves using DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string before passing it to a jQuery method.
As is typically the case, the advisory from CISA is lean on details about the specific nature of exploitation and the identity of threat actors weaponizing the shortcoming. Nor are there any public reports related to attacks that leverage the flaw in question.
That said, Dutch security firm EclecticIQ revealed in February 2024 that the command-and-control (C2) addresses associated with a malicious campaign exploiting security flaws in Ivanti appliances ran a version of JQuery that was susceptible to at least one of the three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate the identified flaw by February 13, 2025, to secure their networks against active threats.
