jQuery XSS Vulnerability Actively Exploited Despite Patch

2025-01-24

Learn about the importance of patch management and how vulnerabilities in widely used libraries like jQuery can impact security.

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability in the jQuery library to its list of known exploited vulnerabilities. Although this medium-severity flaw, which could allow arbitrary code execution, was patched in jQuery version 3.5.0 in April 2020, it continues to be exploited. The flaw can occur when HTML containing

 

Key Facts

Risks:

Patch Management, Web App/Website Vulnerability, Open Source

Keywords:

jQuery, XSS vulnerability, CISA, CVE-2020-11023, DOM manipulation, patch management

CVE:

CVE-2020-11023

Affected:

jQuery

 

Article Body

CISA Highlights Exploited jQuery Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a known vulnerability in the popular jQuery JavaScript library to its list of exploited vulnerabilities. This vulnerability, identified as CVE-2020-11023, has been a concern due to its potential to enable cross-site scripting (XSS) attacks, which can lead to arbitrary code execution on web applications that use jQuery.

Understanding the jQuery Vulnerability

This specific vulnerability occurs when HTML containing <option> elements from untrusted sources is passed to jQuery's DOM manipulation methods, such as .html() or .append(). Even if the HTML has been sanitized, it may still execute untrusted code, posing a security risk.

Patch and Workaround

The vulnerability was patched in jQuery version 3.5.0, which was released in April 2020. However, despite the availability of this patch, the vulnerability continues to be exploited, underscoring the importance of maintaining up-to-date software.

For those who cannot immediately update to the latest jQuery version, a workaround involves using the DOMPurify library with the SAFE_FOR_JQUERY flag. This helps to sanitize HTML strings before passing them to jQuery methods, reducing the risk of exploitation.

Importance of Patch Management

This incident highlights the critical importance of effective patch management and the need for organizations to ensure their software components are updated to the latest secure versions. By staying vigilant and proactive, companies can better protect themselves from vulnerabilities that could be exploited by malicious actors.

 

Read More

https://thehackernews.com/2025/01/cisa-adds-five-year-old-jquery-xss-flaw.html?m=1