The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday positioned a now-patched security flaw impacting the favored jQuery JavaScript library to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The medium-severity vulnerability is CVE-2020-11023 (CVSS rating: 6.1/6.9), a virtually five-year-old cross-site scripting (XSS) bug that might be exploited to realize arbitrary code execution.
“Passing HTML containing <possibility> parts from untrusted sources – even after sanitizing them – to one in every of jQuery’s DOM manipulation strategies (i.e. .html(), .append(), and others) could execute untrusted code,” in keeping with a GitHub advisory launched for the flaw.
The issue was addressed in jQuery model 3.5.0 launched in April 2020. A workaround for CVE-2020-11023 entails utilizing DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string earlier than passing it to a jQuery methodology.
As is often the case, the advisory from CISA is lean on particulars concerning the particular nature of exploitation and the identification of risk actors weaponizing the shortcoming. Nor are there any public stories associated to assaults that leverage the flaw in query.
That stated, Dutch security agency EclecticIQ revealed in February 2024 that the command-and-control (C2) addresses related to a malicious marketing campaign exploiting security flaws in Ivanti home equipment ran a model of JQuery that was inclined to a minimum of one of many three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) companies are advisable to remediate the recognized flaw by February 13, 2025, to safe their networks towards lively threats.
