The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday positioned a now-patched safety flaw impacting the favored jQuery JavaScript library to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The medium-severity vulnerability is CVE-2020-11023 (CVSS rating: 6.1/6.9), a virtually five-year-old cross-site scripting (XSS) bug that may very well be exploited to attain arbitrary code execution.
“Passing HTML containing
The issue was addressed in jQuery model 3.5.0 launched in April 2020. A workaround for CVE-2020-11023 entails utilizing DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string earlier than passing it to a jQuery technique.
As is usually the case, the advisory from CISA is lean on particulars in regards to the particular nature of exploitation and the identification of menace actors weaponizing the shortcoming. Nor are there any latest public reviews associated to assaults that leverage the flaw in query.
That stated, there are reviews that vulnerability has been exploited by menace actors like APT1 (aka Brown Fox and Remark Panda) and APT27 (aka Brown Worm and Emissary Panda), per reviews from Well being-ISAC and Tenable.
Dutch safety agency EclecticIQ additionally revealed in February 2024 that the command-and-control (C2) addresses related to a malicious marketing campaign exploiting safety flaws in Ivanti home equipment ran a model of JQuery that was vulnerable to no less than one of many three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) businesses are really helpful to remediate the recognized flaw by February 13, 2025, to safe their networks towards lively threats.
(The story was up to date after publication to incorporate references to reviews highlighting exploitation of CVE-2020-11023.)