The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday positioned a now-patched safety flaw impacting the favored jQuery JavaScript library to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The medium-severity vulnerability is CVE-2020-11023 (CVSS rating: 6.1/6.9), a virtually five-year-old cross-site scripting (XSS) bug that could possibly be exploited to attain arbitrary code execution.
“Passing HTML containing
The issue was addressed in jQuery model 3.5.0 launched in April 2020. A workaround for CVE-2020-11023 entails utilizing DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string earlier than passing it to a jQuery technique.
As is usually the case, the advisory from CISA is lean on particulars concerning the particular nature of exploitation and the id of risk actors weaponizing the shortcoming. Nor are there any public experiences associated to assaults that leverage the flaw in query.
That mentioned, Dutch safety agency EclecticIQ revealed in February 2024 that the command-and-control (C2) addresses related to a malicious marketing campaign exploiting safety flaws in Ivanti home equipment ran a model of JQuery that was prone to at the very least one of many three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Govt Department (FCEB) businesses are advisable to remediate the recognized flaw by February 13, 2025, to safe their networks towards lively threats.