CVE DATABASE / CVE-2020-11023

CVE-2020-11023

JQuery Cross-Site Scripting (XSS) Vulnerability

CVSS 6.9 · MEDIUM ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2025-01-23. Federal remediation due 2025-02-13.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Summary

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVSS 3.1 breakdown

Base score	6.9 (MEDIUM)
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack vector	NETWORK
Attack complexity	HIGH
Privileges required	NONE
User interaction	REQUIRED
Scope	CHANGED
Confidentiality	HIGH
Integrity	LOW
Availability	NONE

Weakness type (CWE)

CWE-79

Affected products

Jquery jqueryDebian debian linuxFedoraproject fedoraDrupal drupalOracle application expressOracle application testing suiteOracle banking enterprise collectionsOracle banking platformOracle blockchain platformOracle business intelligenceOracle communications analyticsOracle communications eagle application processorOracle communications element managerOracle communications interactive session recorderOracle communications operations monitorOracle communications services gatekeeperOracle communications session report managerOracle communications session route managerOracle financial services regulatory reporting for de nederlandsche bankOracle financial services revenue management and billing analytics

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2025-11-07. Always verify against the vendor advisory before acting.