CISA Adds Exploited jQuery XSS Flaw CVE-2020-11023 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a five-year-old cross-site scripting (XSS) vulnerability identified as CVE-2020-11023, found in the widely-used jQuery JavaScript library, to its Known Exploited Vulnerabilities (KEV) catalog. Despite this medium-severity flaw being patched in April 2020 with the release of jQuery version 3.5.0, it continues to pose significant risks due to ongoing evidence of active exploitation. The flaw, assigned a CVSS score ranging from 6.1 to 6.9, allows for arbitrary code execution when HTML containing elements from untrusted sources is passed to jQuery’s Document Object Model (DOM) manipulation methods.

Although the jQuery team released a fix over three years ago, the vulnerability remains exploitable if organizations do not update their systems to the latest version. A potential workaround involves utilizing DOMPurify with the SAFE_FOR_JQUERY flag to sanitize HTML strings before they are processed with jQuery functions. However, CISA’s advisory stops short of providing detailed specifics regarding the modes of exploitation or the identities of the threat actors. Notable groups such as APT1, also recognized as Brown Fox or Comment Panda, and APT27, known as Brown Worm or Emissary Panda, have reportedly leveraged this flaw in their malicious activities.

Vulnerability Details and Exploitation Evidence

In February 2024, Dutch security firm EclecticIQ disclosed that command and control addresses associated with malicious campaigns targeting Ivanti appliances used vulnerable jQuery versions susceptible to CVE-2020-11023 among other flaws. This vulnerability, if exploited, can lead to severe security breaches, allowing attackers to execute arbitrary code within the user’s browser environment. The exploitation typically involves injecting malicious scripts into web pages viewed by unsuspecting users, potentially giving hackers unauthorized access to sensitive information or the ability to perform further attacks.

The persistent use of outdated jQuery versions by some organizations has only exacerbated the risk associated with this XSS flaw. In response to growing concerns, CISA strongly urges all impacted entities to update their jQuery libraries to the patched versions, if they have not already done so. The advisory comes as part of an ongoing effort to bolster the nation’s cybersecurity defenses and mitigate the damage from known exploitable vulnerabilities. Agencies within the Federal Civilian Executive Branch (FCEB) were specifically instructed to address this issue by February 13, 2025, as mandated by Binding Operational Directive (BOD) 22-01.

Importance of Timely Remediation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently included a five-year-old cross-site scripting (XSS) flaw identified as CVE-2020-11023 in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, found in the popular jQuery JavaScript library, was patched in April 2020 with the release of jQuery version 3.5.0. Despite this, it remains a significant threat due to evidence of ongoing exploitation. With a CVSS score ranging from 6.1 to 6.9, this medium-severity issue allows for arbitrary code execution when HTML with elements from untrusted sources is passed to jQuery’s DOM manipulation methods.

Although the jQuery team provided a fix over three years ago, the vulnerability persists where systems aren’t updated. As a potential workaround, leveraging DOMPurify with the SAFE_FOR_JQUERY flag can sanitize HTML strings before processing them with jQuery functions. However, CISA’s advisory does not detail the exploitation methods or identify the attackers. Notable threat groups such as APT1 (Brown Fox or Comment Panda) and APT27 (Brown Worm or Emissary Panda) have reportedly utilized this flaw for malicious purposes.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned