CISA Adds Exploited jQuery XSS Flaw CVE-2020-11023 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a five-year-old cross-site scripting (XSS) vulnerability identified as CVE-2020-11023, found in the widely-used jQuery JavaScript library, to its Known Exploited Vulnerabilities (KEV) catalog. Despite this medium-severity flaw being patched in April 2020 with the release of jQuery version 3.5.0, it continues to pose significant risks due to ongoing evidence of active exploitation. The flaw, assigned a CVSS score ranging from 6.1 to 6.9, allows for arbitrary code execution when HTML containing elements from untrusted sources is passed to jQuery’s Document Object Model (DOM) manipulation methods.

Although the jQuery team released a fix over three years ago, the vulnerability remains exploitable if organizations do not update their systems to the latest version. A potential workaround involves utilizing DOMPurify with the SAFE_FOR_JQUERY flag to sanitize HTML strings before they are processed with jQuery functions. However, CISA’s advisory stops short of providing detailed specifics regarding the modes of exploitation or the identities of the threat actors. Notable groups such as APT1, also recognized as Brown Fox or Comment Panda, and APT27, known as Brown Worm or Emissary Panda, have reportedly leveraged this flaw in their malicious activities.

Vulnerability Details and Exploitation Evidence

In February 2024, Dutch security firm EclecticIQ disclosed that command and control addresses associated with malicious campaigns targeting Ivanti appliances used vulnerable jQuery versions susceptible to CVE-2020-11023 among other flaws. This vulnerability, if exploited, can lead to severe security breaches, allowing attackers to execute arbitrary code within the user’s browser environment. The exploitation typically involves injecting malicious scripts into web pages viewed by unsuspecting users, potentially giving hackers unauthorized access to sensitive information or the ability to perform further attacks.

The persistent use of outdated jQuery versions by some organizations has only exacerbated the risk associated with this XSS flaw. In response to growing concerns, CISA strongly urges all impacted entities to update their jQuery libraries to the patched versions, if they have not already done so. The advisory comes as part of an ongoing effort to bolster the nation’s cybersecurity defenses and mitigate the damage from known exploitable vulnerabilities. Agencies within the Federal Civilian Executive Branch (FCEB) were specifically instructed to address this issue by February 13, 2025, as mandated by Binding Operational Directive (BOD) 22-01.

Importance of Timely Remediation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently included a five-year-old cross-site scripting (XSS) flaw identified as CVE-2020-11023 in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, found in the popular jQuery JavaScript library, was patched in April 2020 with the release of jQuery version 3.5.0. Despite this, it remains a significant threat due to evidence of ongoing exploitation. With a CVSS score ranging from 6.1 to 6.9, this medium-severity issue allows for arbitrary code execution when HTML with elements from untrusted sources is passed to jQuery’s DOM manipulation methods.

Although the jQuery team provided a fix over three years ago, the vulnerability persists where systems aren’t updated. As a potential workaround, leveraging DOMPurify with the SAFE_FOR_JQUERY flag can sanitize HTML strings before processing them with jQuery functions. However, CISA’s advisory does not detail the exploitation methods or identify the attackers. Notable threat groups such as APT1 (Brown Fox or Comment Panda) and APT27 (Brown Worm or Emissary Panda) have reportedly utilized this flaw for malicious purposes.

Explore more

Can Employers Be Liable for Workplace Violence?

What happens when a routine day at work turns into a scene of chaos? In today’s rapidly evolving work environments, tensions can occasionally escalate, leading to unforeseen violent incidents. With reports of workplace violence on the rise globally, employers and employees alike grapple with the pressing question of responsibility and liability. Understanding the Surge in Workplace Violence Workplace violence is

Exposed Git Repositories: A Growing Cybersecurity Threat

The Forgotten Vaults of Cyberspace In an era where digital transformation accelerates at an unprecedented pace, Git repositories often become overlooked conduits for sensitive data exposure. Software developers rely heavily on these tools for seamless version control and collaborative coding, yet they unwittingly open new avenues for cyber adversaries. With nearly half of an organization’s sensitive information found residing within

Synthetic Data Utilization – Review

In a rapidly digitizing world, securing vast amounts of real-world data for training sophisticated AI models poses daunting challenges, especially with strict privacy regulations shaping data landscapes. Enter synthetic data—an innovative tool breaking new ground in the realm of machine learning and data science by offering a simulation of real datasets. With its ability to address privacy concerns, enhance data

Debunking Common Networking Myths for Better Connectivity

Dominic Jainy is known for his depth of understanding in artificial intelligence, machine learning, and blockchain technologies. His extensive experience has equipped him with a keen eye for identifying and debunking myths that circulate within the realms of technology and networking. In this interview, Dominic shares his insights on some of the common misconceptions about networking, touching upon signal bars,

American Airlines and Mastercard Enhance Loyalty Program

Nikolai Braiden, a seasoned expert in financial technology, is a trailblazer in the use of blockchain and has been instrumental in advising numerous startups on leveraging technology to foster innovation. Today, we explore his insights on the extended partnership between American Airlines and Mastercard, a collaboration poised to revolutionize travel and payment experiences. Can you explain the key reasons behind