The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday positioned a now-patched safety flaw impacting the favored jQuery JavaScript library to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The medium-severity vulnerability is CVE-2020-11023 (CVSS rating: 6.1/6.9), a virtually five-year-old cross-site scripting (XSS) bug that might be exploited to attain arbitrary code execution.
“Passing HTML containing <option> elements from untrusted sources – even after sanitizing them – to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code,” in line with a GitHub advisory launched for the flaw.
The issue was addressed in jQuery model 3.5.0 launched in April 2020. A workaround for CVE-2020-11023 includes utilizing DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string earlier than passing it to a jQuery technique.
As is usually the case, the advisory from CISA is lean on particulars concerning the particular nature of exploitation and the id of menace actors weaponizing the shortcoming. Nor are there any public studies associated to assaults that leverage the flaw in query.
That stated, Dutch safety agency EclecticIQ revealed in February 2024 that the command-and-control (C2) addresses related to a malicious marketing campaign exploiting safety flaws in Ivanti home equipment ran a model of JQuery that was inclined to at the very least one of many three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) businesses are beneficial to remediate the recognized flaw by February 13, 2025, to safe their networks towards lively threats.
