The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical vulnerability in the widely used jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog due to ongoing exploitation concerns. This security flaw, identified as CVE-2020-11023, poses medium-level severity, scored between 6.1 and 6.9 on the Common Vulnerability Scoring System (CVSS). Notably, it is a cross-site scripting (XSS) vulnerability that could lead to arbitrary code execution.
According to a GitHub advisory, the flaw arises when HTML that includes <option> elements from unreliable sources is passed to certain jQuery DOM manipulation methods, including .html() and .append(). Even after attempting to sanitize this data, untrusted code may still execute, opening the door for potential exploitation.
This vulnerability was addressed in jQuery version 3.5.0, released in April 2020. To mitigate the risk associated with CVE-2020-11023, organizations are encouraged to implement a workaround that involves using DOMPurify with the SAFE_FOR_JQUERY flag, which helps sanitize HTML before it is processed by jQuery methods.
While CISA’s advisory offers little detail about specific exploitation methods or the identity of threat actors exploiting this vulnerability, reports indicate that groups such as APT1 and APT27 have previously utilized it in their cyber operations. Threat intelligence from Health-ISAC and Tenable supports this assertion.
Further, Dutch security firm EclecticIQ highlighted that command-and-control addresses related to recent malicious campaigns exploiting vulnerabilities in Ivanti appliances utilized a version of jQuery vulnerable to CVE-2020-11023, among others. This information emphasizes the relevance of keeping software up to date and being aware of known vulnerabilities.
To ensure the security of federal networks against potential threats, the Binding Operational Directive (BOD) 22-01 advises Federal Civilian Executive Branch agencies to address the identified flaw by February 13, 2025.
In summary, the ongoing risks associated with CVE-2020-11023 underscore the necessity for organizations to remain vigilant about updates and security measures. Monitoring fields of active exploitation, particularly with regard to adversarial techniques outlined in the MITRE ATT&CK framework, will be essential for maintaining robust cybersecurity defenses.
