CVE-2020-7656
Cross-Site Scripting (XSS) vulnerability in jquery (npm)
What is CVE-2020-7656 About?
Versions of `jquery` prior to 1.9.0 are vulnerable to Cross-Site Scripting (XSS) due to improper `<script>` tag removal when a whitespace character is present. This flaw allows attackers to execute arbitrary JavaScript in a victim's browser. Exploitation is relatively easy, requiring an attacker to inject specially crafted HTML.
Affected Software
- jquery
- >1.2.1, <1.9.0
- jQuery
- >1.2.1, <1.9.0
- jquery-rails
- <2.2.0
- org.webjars.npm:jquery
- >1.2.1, <1.9.0
Technical Details
The vulnerability exists in jquery versions prior to 1.9.0, specifically within the load method's sanitization process. The load method fails to correctly identify and remove <script> HTML tags if they contain a whitespace character between the closing tag name and the angle bracket (e.g., </script >). This parsing flaw allows an attacker to bypass jquery's intended script removal mechanisms. When an attacker injects HTML containing such a malformed but executable <script> tag into content that is subsequently loaded and rendered by jquery, the enclosed malicious JavaScript code is executed in the context of the user's browser. This enables typical Cross-Site Scripting attacks where an attacker can steal session cookies, deface web pages, or redirect users.
What is the Impact of CVE-2020-7656?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement of the website, redirection to malicious sites, or unauthorized access to sensitive information such as cookies.
What is the Exploitability of CVE-2020-7656?
Exploitation of this XSS vulnerability is of low to moderate complexity. It typically requires an attacker to inject malicious HTML content, specifically a malformed <script> tag with a trailing whitespace (</script >), into a data source that is subsequently loaded and processed by the vulnerable jquery load method. No specific authentication or prior privileges are required on the target server, only the ability to supply or influence content that is then displayed by a vulnerable client. This is a remote exploitation scenario, as the attacker's payload is delivered to and executed in the victim's browser. The main prerequisite is that the application uses a vulnerable version of jquery (prior to 1.9.0) and dynamically renders user-controlled HTML content without sufficient sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7656?
Available Upgrade Options
- org.webjars.npm:jquery
- >1.2.1, <1.9.0 → Upgrade to 1.9.0
- jquery-rails
- <2.2.0 → Upgrade to 2.2.0
- jquery
- >1.2.1, <1.9.0 → Upgrade to 1.9.0
- jQuery
- >1.2.1, <1.9.0 → Upgrade to 1.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20200528-0001
- https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://snyk.io/vuln/SNYK-JS-JQUERY-569619
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US
- https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US
- https://osv.dev/vulnerability/GHSA-q4m3-2j7h-f7xw
What are Similar Vulnerabilities to CVE-2020-7656?
Similar Vulnerabilities: CVE-2023-3481 , CVE-2023-37905 , CVE-2016-10707 , CVE-2017-16016 , CVE-2015-9251
