jQuery XSS Vulnerability: A Cross-Site Scripting Threat

Introduction

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a known exploited vulnerability in the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2020-11023, is a medium-severity cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution.

Background

The vulnerability was addressed in jQuery version 3.5.0 released in April 2020. A workaround for CVE-2020-11023 involves using DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string before passing it to a jQuery method.

Exploitation

The vulnerability can be exploited by passing HTML containing elements from untrusted sources to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others). This may execute untrusted code, according to a GitHub advisory released for the flaw.

Threat Actors

Dutch security firm EclecticIQ revealed in February 2024 that the command-and-control (C2) addresses associated with a malicious campaign exploiting security flaws in Ivanti appliances ran a version of JQuery that was susceptible to at least one of the three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.

Remediation

Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate the identified flaw by February 13, 2025, to secure their networks against active threats.

Conclusion

The CISA advisory is lean on details about the specific nature of exploitation and the identity of threat actors weaponizing the shortcoming. However, it is essential for organizations to take immediate action to remediate the identified flaw and prevent potential attacks.

Additional Resources

• CISA Known Exploited Vulnerabilities (KEV) catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• GitHub advisory: https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
• DOMPurify: https://github.com/cure53/DOMPurify
• SAFE_FOR_JQUERY flag: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page

Stay Informed

Follow us on Twitter  and LinkedIn to read more exclusive content we post.