CVE-2020-11023: Untrusted Code Execution vulnerability in jquery

What is CVE-2020-11023 About?

This vulnerability in jQuery allows untrusted code execution when passing HTML containing `<option>` elements from untrusted sources to DOM manipulation methods. The impact is the execution of arbitrary JavaScript code in the user's browser, leading to client-side attacks. Exploitation is straightforward, requiring carefully crafted HTML input.

Affected Software

jquery
- >1.0.3, <3.5.0
jquery-rails
- <4.4.0
jQuery
- >1.0.3, <3.5.0
org.webjars.npm:jquery
- >1.0.3, <3.5.0
components/jquery
- >1.0.3, <3.5.0

Technical Details

The vulnerability arises when jQuery's DOM manipulation methods like `.html()` or `.append()` are used with HTML strings that contain `<option>` elements, even if the overall HTML has been sanitized. Specifically, jQuery versions prior to 3.5.0 do not correctly handle and sanitize `<option>` tags, allowing embedded script or other active content within them to execute when inserted into the DOM. An attacker can inject malicious `<option>` elements that bypass sanitation routines by leveraging this parsing inconsistency, leading to cross-site scripting (XSS).

What is the Impact of CVE-2020-11023?

Successful exploitation may allow attackers to execute arbitrary client-side script code, perform cross-site scripting attacks, steal sensitive session information, deface web pages, or redirect users to malicious sites.

What is the Exploitability of CVE-2020-11023?

Exploiting this vulnerability involves supplying specially crafted HTML content to an application that uses vulnerable jQuery versions and processes user-controlled input with DOM manipulation methods. The complexity is low to moderate, as an attacker needs to know where their input will be reflected in the DOM. No specific authentication or privilege is required, as it primarily affects client-side processing. The attack is remote, delivered via web pages or applications that display user-generated content. The likelihood of exploitation increases if web applications do not rigorously sanitize all incoming HTML, especially when parsing elements like `<option>`.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Cybernegro	Link	CVE-2020-11023 PoC for bug bounty.
honeyb33z	Link	PoC for CVE-2020-11023
Snorlyd	Link	Vulnearability Report of the New Jersey official site

What are the Available Fixes for CVE-2020-11023?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch removes the htmlPrefilter that previously converted self-closing tags (like <div/>) to explicit open/close pairs (like <div></div>). This fixes CVE-2020-11023 by preventing a parsing ambiguity in jQuery where attackers could exploit the filter to inject malicious HTML/script in certain browsers, particularly when handling SVG or similar markup; by passing the raw HTML through, jQuery avoids this dangerous automatic transformation and closes the security hole.

Available Upgrade Options

jQuery
- >1.0.3, <3.5.0 → Upgrade to 3.5.0
org.webjars.npm:jquery
- >1.0.3, <3.5.0 → Upgrade to 3.5.0
jquery-rails
- <4.4.0 → Upgrade to 4.4.0
jquery
- >1.0.3, <3.5.0 → Upgrade to 3.5.0
components/jquery
- >1.0.3, <3.5.0 → Upgrade to 3.5.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-11023?

Similar Vulnerabilities: CVE-2020-11022 , CVE-2015-9251 , CVE-2012-6708 , CVE-2019-11358 , CVE-2016-10707

CVE-2020-11023 Untrusted Code Execution vulnerability in jquery