CVE-2020-11023 – Potential XSS vulnerability in jQuery

https://notcve.org/view.php?id=CVE-2020-11023

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. En jQuery versiones mayores o iguales a 1.0.3 y anteriores a la versión 3.5.0, passing HTML contiene elementos de fuentes no seguras – incluso después de sanearlo – para uno de los métodos de manipulación de jQuery ´s DOM ( i.e. html t(), adjunto (), y otros ) podrían ejecutar códigos no seguros. Este problema está corregido en JQuery 3.5.0. A flaw was found in jQuery. • https://www.exploit-db.com/exploits/49767 https://github.com/0xAJ2K/CVE-2020-11022-CVE-2020-11023 https://github.com/Cybernegro/CVE-2020-11023 https://github.com/Snorlyd/https-nj.gov---CVE-2020-11023 http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •