View all Vulnerabilities

CVE-2020-11023

Cross-Site Scripting
Affects
jQuery
>=1.0.3 <3.5.0
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Steps to Reproduce

This Medium level exploit is related to CVE-2020-11022; it can be found in jQuery versions greater than or equal to 1.0.3 and before 3.5.0. Instead of being concerned with general HTML (which CVE-2020-11022 handles), this problem may occur when passing HTML containing <option> elements, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). With input not correctly sanitized, these methods may execute untrusted code.

Addressing the Issue

Clients should update to jQuery 3.5.0 immediately after thorough testing. Extensive testing is required because the sanitization method used in jQuery.htmlPrefilter()  changed in 3.5.0 and there are edge cases in which sanitization functionality may produce unexpected results. If the old behavior is absolutely required, the jQuery 3.5.0 Release blog describes a way to use the old logic in a safe way.

Learning and Prevention

Sanitizing untrusted data before using or storing it is a security best practice for good reason: it is a common vector for breaking code. In this case, the error was found in the code designed to sanitize the data that specifically included <option> elements.

Normally, using the built-in sanitization methods are sufficient. However, despite employing a new sanitization method in version 3.5.0, the jQuery team also recommends using the DOMPurify library for additional sanitization and to be sure to use the SAFE_FOR_JQUERY option. DOMPurify is a very popular, highly configurable library specifically designed to help prevent Cross-Site Scripting (XSS) exploits.

Conclusion

To provide the most secure possible Javascript frameworks for their sites, HeroDevs NES clients receive this version of jQuery and all other relevant CVEs that have been fixed.

This fix directly corrects directly corrects the potential security hole described by CVE-2020-11023. To stay apprised of security updates like these, contact us today to become a customer.

Resources

Vulnerability Details

ID
CVE-2020-11023
Libraries Affected
jQuery
Versions Affected
>=1.0.3 <3.5.0
≈ Fix date
February 1, 2023
Fixed in
jQuery NES
Severity
Medium
Category
Cross-Site Scripting

Sign up for alerts

Get alerted whenever a new vulnerability is fixed in the open source software we support.

Saving the day when your open source software is sunsetting
+1 877-586-1965
hello@herodevs.com
8850 S 700 E #2437
Sandy, UT 84070
Company
Home
Careers
Pricing
Partners
Pro Services
Contact
Products
All Products
Angular NES
jQuery NES
Drupal 7 NES
AngularJS NES
Vue 2 NES
Bootstrap NES
Nuxt NES
Spring NES
Protractor NES
Resources
Blog
Vulnerability Directory
Newsletters
Legal
Privacy Policy
Terms of Service
Socials
© 2024 herodevs.com  |  All Rights Reserved