CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List

Jan 24, 2025Ravie LakshmananVulnerability / JavaScript

According to evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) on Thursday reported a security flaw that has been fixed that has affected the well-known jQuery JavaScript library’s Known Exploited Vulnerabilities ( ) catalog.

The medium-severity vulnerability is ( CVSS score: 6.1/6.9 ), a nearly five-year-old cross-site scripting ( XSS) bug that could be exploited to achieve arbitrary code execution.

” Passing HTML containing &lt, option&gt, elements from untrusted sources- even after sanitizing them- to one of jQuery’s DOM manipulation methods ( i. e ..html ( ), .append ( ), and others ) may execute untrusted code”, according to a released for the flaw.

The issue was fixed when plugin type 3.5.0, which was released in April 2020. Using with the SAFE_FOR_JQUERY emblem set to purify the HTML wire before passing it to a ajax method is a solution for CVE-2020-11023.

The CISA advice is usually based on specifics about the specific character of exploitation and the identity of threat actors who are attempting to exploit the weakness. There haven’t been any recent public studies involving attacks that make use of the weakness in question.

That said, there are reports that vulnerability has been exploited by threat actors like APT1 (aka Brown Fox and Comment Panda ) and (aka Brown Worm and Emissary Panda ), per reports from and .

Dutch security firm EclecticIQ also in February 2024 that the command-and-control ( C2 ) addresses associated with a exploiting security flaws in Ivanti appliances ran a version of JQuery that was susceptible to at least one of the three flaws, CVE-2020-11023, , and .

Federal Civilian Executive Branch (FCEB ) organizations are advised to fix the identified flaw by February 13th, 2025 in accordance with Binding Operational Directive ( BOD ) 22-01 to protect their networks from active threats.

( CVE-2020-11023 was referenced in the article after it was published, and it was updated. )

Found this post exciting? Following us on and Twitter to access more unique content.

Leave a Comment