On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of a long-standing security flaw in the widely-used jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation.
The vulnerability, designated as CVE-2020-11023, is classified as medium-severity with a CVSS score ranging from 6.1 to 6.9. Attackers can potentially exploit this nearly five-year-old cross-site scripting (XSS) issue to execute arbitrary code.
According to a GitHub advisory regarding the flaw, “Passing HTML containing elements from untrusted sources—even after sanitizing them—to one of jQuery’s DOM manipulation methods (such as .html(), .append(), and others) may execute untrusted code.”
Developers addressed this issue in jQuery version 3.5.0, which they released in April 2020. They recommend utilizing DOMPurify with the SAFE_FOR_JQUERY flag enabled to properly sanitize the HTML string before passing it to any jQuery method as a workaround for CVE-2020-11023.
As is common with such advisories, CISA has provided limited details about the specific nature of the exploitation or the identities of the threat actors taking advantage of this vulnerability. Additionally, there are no public reports confirming any attacks that have utilized this particular flaw.
However, in February 2024, Dutch security firm EclecticIQ disclosed that command-and-control (C2) addresses linked to a malicious campaign exploiting vulnerabilities in Ivanti appliances were running a version of jQuery that was vulnerable to at least one of three flaws, including CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.
In accordance with Binding Operational Directive (BOD) 22-01, the Cybersecurity and Infrastructure Security Agency (CISA) advises Federal Civilian Executive Branch (FCEB) agencies to remediate this identified flaw by February 13, 2025, to protect their networks from active threats.
