The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a five-year-old cross-site scripting (XSS) vulnerability identified as CVE-2020-11023, found in the widely-used jQuery JavaScript library, to its Known Exploited Vulnerabilities (KEV) catalog. Despite this medium-severity flaw being patched in April 2020 with the release of jQuery version 3.5.0, it continues to pose significant risks due to ongoing evidence of active exploitation. The flaw, assigned a CVSS score ranging from 6.1 to 6.9, allows for arbitrary code execution when HTML containing elements from untrusted sources is passed to jQuery’s Document Object Model (DOM) manipulation methods.
Although the jQuery team released a fix over three years ago, the vulnerability remains exploitable if organizations do not update their systems to the latest version. A potential workaround involves utilizing DOMPurify with the SAFE_FOR_JQUERY flag to sanitize HTML strings before they are processed with jQuery functions. However, CISA’s advisory stops short of providing detailed specifics regarding the modes of exploitation or the identities of the threat actors. Notable groups such as APT1, also recognized as Brown Fox or Comment Panda, and APT27, known as Brown Worm or Emissary Panda, have reportedly leveraged this flaw in their malicious activities.
Vulnerability Details and Exploitation Evidence
In February 2024, Dutch security firm EclecticIQ disclosed that command and control addresses associated with malicious campaigns targeting Ivanti appliances used vulnerable jQuery versions susceptible to CVE-2020-11023 among other flaws. This vulnerability, if exploited, can lead to severe security breaches, allowing attackers to execute arbitrary code within the user’s browser environment. The exploitation typically involves injecting malicious scripts into web pages viewed by unsuspecting users, potentially giving hackers unauthorized access to sensitive information or the ability to perform further attacks.
The persistent use of outdated jQuery versions by some organizations has only exacerbated the risk associated with this XSS flaw. In response to growing concerns, CISA strongly urges all impacted entities to update their jQuery libraries to the patched versions, if they have not already done so. The advisory comes as part of an ongoing effort to bolster the nation’s cybersecurity defenses and mitigate the damage from known exploitable vulnerabilities. Agencies within the Federal Civilian Executive Branch (FCEB) were specifically instructed to address this issue by February 13, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
Importance of Timely Remediation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently included a five-year-old cross-site scripting (XSS) flaw identified as CVE-2020-11023 in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, found in the popular jQuery JavaScript library, was patched in April 2020 with the release of jQuery version 3.5.0. Despite this, it remains a significant threat due to evidence of ongoing exploitation. With a CVSS score ranging from 6.1 to 6.9, this medium-severity issue allows for arbitrary code execution when HTML with elements from untrusted sources is passed to jQuery’s DOM manipulation methods.
Although the jQuery team provided a fix over three years ago, the vulnerability persists where systems aren’t updated. As a potential workaround, leveraging DOMPurify with the SAFE_FOR_JQUERY flag can sanitize HTML strings before processing them with jQuery functions. However, CISA’s advisory does not detail the exploitation methods or identify the attackers. Notable threat groups such as APT1 (Brown Fox or Comment Panda) and APT27 (Brown Worm or Emissary Panda) have reportedly utilized this flaw for malicious purposes.