Description

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Remediation

References

CVE-2020-11022

Related Vulnerabilities

WordPress Plugin Membership & Content Restriction-Paid Member Subscriptions Multiple Vulnerabilities (2.4.1)

WordPress Plugin WP Post Rating Security Bypass (2.4.6)

WordPress Plugin Abandoned Cart Lite for WooCommerce Security Bypass (5.14.2)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-3732)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-4307)

Severity

Medium

Classification

CVE-2020-11022 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities