Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2020-11023

Disclosure Date: April 29, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources – even after sanitizing it – to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • debian,
  • drupal,
  • fedoraproject,
  • jquery,
  • netapp,
  • oracle,
  • tenable

Products

  • application express,
  • application testing suite 13.3.0.1,
  • banking enterprise collections,
  • banking platform,
  • business intelligence 5.9.0.0.0,
  • communications analytics 12.1.1,
  • communications eagle application processor,
  • communications element manager 8.1.1,
  • communications element manager 8.2.0,
  • communications element manager 8.2.1,
  • communications interactive session recorder,
  • communications operations monitor,
  • communications operations monitor 3.4,
  • communications services gatekeeper 7.0,
  • communications session report manager 8.1.1,
  • communications session report manager 8.2.0,
  • communications session report manager 8.2.1,
  • communications session route manager 8.1.1,
  • communications session route manager 8.2.0,
  • communications session route manager 8.2.1,
  • debian linux 9.0,
  • drupal,
  • fedora 31,
  • fedora 32,
  • fedora 33,
  • financial services regulatory reporting for de nederlandsche bank 8.0.4,
  • financial services revenue management and billing analytics 2.7,
  • financial services revenue management and billing analytics 2.8,
  • h300e firmware -,
  • h300s firmware -,
  • h410c firmware -,
  • h410s firmware -,
  • h500e firmware -,
  • h500s firmware -,
  • h700e firmware -,
  • h700s firmware -,
  • health sciences inform 6.3.0,
  • healthcare translational research 3.2.1,
  • healthcare translational research 3.3.1,
  • healthcare translational research 3.3.2,
  • healthcare translational research 3.4.0,
  • hyperion financial reporting 11.1.2.4,
  • jd edwards enterpriseone orchestrator,
  • jd edwards enterpriseone tools,
  • jquery,
  • log correlation engine,
  • max data -,
  • oncommand insight -,
  • oncommand system manager,
  • oss support tools,
  • peoplesoft enterprise human capital management resources 9.2,
  • primavera gateway,
  • rest data services 11.2.0.4,
  • rest data services 12.1.0.2,
  • rest data services 12.2.0.1,
  • rest data services 18c,
  • rest data services 19c,
  • siebel mobile,
  • snap creator framework -,
  • snapcenter server -,
  • storagetek acsls 8.5.1,
  • storagetek tape analytics sw tool 2.3.1,
  • webcenter sites 12.2.1.3.0,
  • webcenter sites 12.2.1.4.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0,
  • weblogic server 14.1.1.0.0

Exploited in the Wild

Reported by:

References

Advisory

Additional Info

Technical Analysis