CVE-2020-11023
JQuery Cross-Site Scripting (XSS) Vulnerability
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
8
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
Attend
*SSVC
Descriptions
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
En jQuery versiones mayores o iguales a 1.0.3 y anteriores a la versión 3.5.0, passing HTML contiene elementos de fuentes no seguras – incluso después de sanearlo – para uno de los métodos de manipulación de jQuery ´s DOM ( i.e. html t(), adjunto (), y otros ) podrían ejecutar códigos no seguros. Este problema está corregido en JQuery 3.5.0.
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
The jQuery Manager for WordPress plugin for WordPress is running a vulnerable version of jQuery in all versions up to, and including, 1.10.4 and the Enable jQuery Migrate Helper for WordPress is running a vulnerable version of jQuery in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to malicious web scripts, though it is not verified that the plugin is exploitable through CVE-2020-11023.
Fixed two jQuery vulnerabilities Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP requests by default Updated several dependencies of Ansible Tower's User Interface to address Updated to the latest version of python-psutil to address CVE-2019-18874 Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases Fixed workflows to no longer prevent certain users from being able to edit approval nodes Fixed confusing behavior for social auth logins across distinct browser tabs Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials. Issues addressed include code execution and cross site scripting vulnerabilities.
JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-03-30 CVE Reserved
- 2020-04-29 CVE Published
- 2021-04-14 First Exploit
- 2025-01-23 Exploited in Wild
- 2025-02-10 CVE Updated
- 2025-02-13 KEV Due Date
- 2025-03-30 EPSS Updated
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-1395: Dependency on Vulnerable Third-Party Component
CAPEC
References (74)
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netapp Search vendor "Netapp" | H300s Firmware Search vendor "Netapp" for product "H300s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300s Search vendor "Netapp" for product "H300s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H500s Firmware Search vendor "Netapp" for product "H500s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500s Search vendor "Netapp" for product "H500s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H700s Firmware Search vendor "Netapp" for product "H700s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700s Search vendor "Netapp" for product "H700s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H300e Firmware Search vendor "Netapp" for product "H300e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300e Search vendor "Netapp" for product "H300e" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H500e Firmware Search vendor "Netapp" for product "H500e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500e Search vendor "Netapp" for product "H500e" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H700e Firmware Search vendor "Netapp" for product "H700e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700e Search vendor "Netapp" for product "H700e" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H410s Firmware Search vendor "Netapp" for product "H410s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H410s Search vendor "Netapp" for product "H410s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H410c Firmware Search vendor "Netapp" for product "H410c Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H410c Search vendor "Netapp" for product "H410c" | - | - |
Safe
|
| Jquery Search vendor "Jquery" | Jquery Search vendor "Jquery" for product "Jquery" | >= 1.0.3 < 3.5.0 Search vendor "Jquery" for product "Jquery" and version " >= 1.0.3 < 3.5.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 7.0 < 7.70 Search vendor "Drupal" for product "Drupal" and version " >= 7.0 < 7.70" | - |
Affected
| ||||||
| Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 8.7.0 < 8.7.14 Search vendor "Drupal" for product "Drupal" and version " >= 8.7.0 < 8.7.14" | - |
Affected
| ||||||
| Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 8.8.0 < 8.8.6 Search vendor "Drupal" for product "Drupal" and version " >= 8.8.0 < 8.8.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Express Search vendor "Oracle" for product "Application Express" | < 20.2 Search vendor "Oracle" for product "Application Express" and version " < 20.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Collections Search vendor "Oracle" for product "Banking Enterprise Collections" | >= 2.7.0 <= 2.8.0 Search vendor "Oracle" for product "Banking Enterprise Collections" and version " >= 2.7.0 <= 2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | >= 2.4.0 <= 2.10.0 Search vendor "Oracle" for product "Banking Platform" and version " >= 2.4.0 <= 2.10.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Analytics Search vendor "Oracle" for product "Communications Analytics" | 12.1.1 Search vendor "Oracle" for product "Communications Analytics" and version "12.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Eagle Application Processor Search vendor "Oracle" for product "Communications Eagle Application Processor" | >= 16.1.0 <= 16.4.0 Search vendor "Oracle" for product "Communications Eagle Application Processor" and version " >= 16.1.0 <= 16.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.1.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.2.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.2.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | >= 6.1 <= 6.4 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version " >= 6.1 <= 6.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor" | >= 4.1 <= 4.3 Search vendor "Oracle" for product "Communications Operations Monitor" and version " >= 4.1 <= 4.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor" | 3.4 Search vendor "Oracle" for product "Communications Operations Monitor" and version "3.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | 8.1.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | 8.2.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | 8.2.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | 8.1.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | 8.2.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | 8.2.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Regulatory Reporting For De Nederlandsche Bank Search vendor "Oracle" for product "Financial Services Regulatory Reporting For De Nederlandsche Bank" | 8.0.4 Search vendor "Oracle" for product "Financial Services Regulatory Reporting For De Nederlandsche Bank" and version "8.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.8 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Health Sciences Inform Search vendor "Oracle" for product "Health Sciences Inform" | 6.3.0 Search vendor "Oracle" for product "Health Sciences Inform" and version "6.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Translational Research Search vendor "Oracle" for product "Healthcare Translational Research" | 3.2.1 Search vendor "Oracle" for product "Healthcare Translational Research" and version "3.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Translational Research Search vendor "Oracle" for product "Healthcare Translational Research" | 3.3.1 Search vendor "Oracle" for product "Healthcare Translational Research" and version "3.3.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Translational Research Search vendor "Oracle" for product "Healthcare Translational Research" | 3.3.2 Search vendor "Oracle" for product "Healthcare Translational Research" and version "3.3.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Translational Research Search vendor "Oracle" for product "Healthcare Translational Research" | 3.4.0 Search vendor "Oracle" for product "Healthcare Translational Research" and version "3.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Financial Reporting Search vendor "Oracle" for product "Hyperion Financial Reporting" | 11.1.2.4 Search vendor "Oracle" for product "Hyperion Financial Reporting" and version "11.1.2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" | < 9.2.5.0 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version " < 9.2.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" | < 9.2.5.0 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Oss Support Tools Search vendor "Oracle" for product "Oss Support Tools" | < 2.12.41 Search vendor "Oracle" for product "Oss Support Tools" and version " < 2.12.41" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Peoplesoft Enterprise Human Capital Management Resources Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Resources" | 9.2 Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Resources" and version "9.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 16.2 <= 16.2.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 16.2 <= 16.2.11" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.7 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.7" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 18.8.0 <= 18.8.9 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.9" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 19.12.0 <= 19.12.4 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rest Data Services Search vendor "Oracle" for product "Rest Data Services" | 11.2.0.4 Search vendor "Oracle" for product "Rest Data Services" and version "11.2.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rest Data Services Search vendor "Oracle" for product "Rest Data Services" | 12.1.0.2 Search vendor "Oracle" for product "Rest Data Services" and version "12.1.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rest Data Services Search vendor "Oracle" for product "Rest Data Services" | 12.2.0.1 Search vendor "Oracle" for product "Rest Data Services" and version "12.2.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rest Data Services Search vendor "Oracle" for product "Rest Data Services" | 18c Search vendor "Oracle" for product "Rest Data Services" and version "18c" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rest Data Services Search vendor "Oracle" for product "Rest Data Services" | 19c Search vendor "Oracle" for product "Rest Data Services" and version "19c" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Siebel Mobile Search vendor "Oracle" for product "Siebel Mobile" | <= 20.12 Search vendor "Oracle" for product "Siebel Mobile" and version " <= 20.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Storagetek Acsls Search vendor "Oracle" for product "Storagetek Acsls" | 8.5.1 Search vendor "Oracle" for product "Storagetek Acsls" and version "8.5.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Storagetek Tape Analytics Sw Tool Search vendor "Oracle" for product "Storagetek Tape Analytics Sw Tool" | 2.3.1 Search vendor "Oracle" for product "Storagetek Tape Analytics Sw Tool" and version "2.3.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Sites Search vendor "Oracle" for product "Webcenter Sites" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Sites Search vendor "Oracle" for product "Webcenter Sites" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.1.3.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.1.3.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Max Data Search vendor "Netapp" for product "Max Data" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand System Manager Search vendor "Netapp" for product "Oncommand System Manager" | >= 3.0 <= 3.1.3 Search vendor "Netapp" for product "Oncommand System Manager" and version " >= 3.0 <= 3.1.3" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snap Creator Framework Search vendor "Netapp" for product "Snap Creator Framework" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Server Search vendor "Netapp" for product "Snapcenter Server" | - | - |
Affected
| ||||||
| Tenable Search vendor "Tenable" | Log Correlation Engine Search vendor "Tenable" for product "Log Correlation Engine" | < 6.0.9 Search vendor "Tenable" for product "Log Correlation Engine" and version " < 6.0.9" | - |
Affected
| ||||||