Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-11022

Cross-Site Scripting
Affects
jQuery
>=1.2.0 <3.5.0
in
jQuery
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

‍Steps to Reproduce

This Medium level exploit can be found in jQuery versions greater than or equal to 1.2 and before 3.5.0. The problem may occur when passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). With input not correctly sanitized, these methods may execute untrusted code.

Addressing the Issue

Clients should update to jQuery 3.5.0 immediately after thorough testing. Extensive testing is required because the sanitization method used in jQuery.htmlPrefilter()  changed in 3.5.0 and there are edge cases in which sanitization functionality may produce unexpected results. If the old behavior is absolutely required, the jQuery 3.5.0 Release blog describes a way to use the old logic in a safe way.  Alternatively, for clients unable to migrate, HeroDevs provides Never Ending Support for jQuery including versions of jQuery 1 and jQuery 2 with fixes for this security vulnerability.

Learning and Prevention

Sanitizing untrusted data before using or storing it is a security best practice for good reason: it is a common vector for breaking code. In this case, the error was found in the code designed to sanitize the data. The best available fix was to move away from using regex() to a new way to sanitize the data. 

Normally, using the built-in sanitization methods are sufficient. However, despite employing a new sanitization method in version 3.5.0, the jQuery team also recommends using the DOMPurify library for additional sanitization and to be sure to use the SAFE_FOR_JQUERY option. DOMPurify is a very popular, highly configurable library specifically designed to help prevent Cross-Site Scripting (XSS) exploits.

Conclusion

To provide the most secure possible Javascript frameworks for their sites, HeroDevs NES clients receive versions of jQuery which have this and all other relevant CVEs fixed.

This fix directly corrects the potential security hole described by CVE-2020-11022. To stay apprised of security updates like these, contact us today to become a customer.

Resources

Pink arrow
Previous
CVE-2020-7656
Next
CVE-2020-11023
Pink arrow
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-11022
PROJECT Affected
jQuery
Versions Affected
>=1.2.0 <3.5.0
Published date
April 29, 2020
≈ Fix date
February 1, 2023
Fixed in
jQuery NES
Severity
Medium
Category
Cross-Site Scripting