
CISA has added a significant security vulnerability affecting the jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog. The medium-severity flaw, identified as CVE-2020-11023, carries a CVSS score of 6.1/6.9 and has been confirmed to be actively exploited.
The vulnerability, discovered nearly five years ago, is a cross-site scripting (XSS) bug that could enable arbitrary code execution. The security issue arises when HTML containing
jQuery version 3.5.0, released in April 2020, contains the patch for this vulnerability. Organizations unable to update immediately can implement a temporary fix by using DOMPurify with the SAFE_FOR_JQUERY flag to sanitize HTML strings before jQuery processing.
Recent findings by EclecticIQ revealed that command-and-control servers involved in Ivanti appliance attacks were running vulnerable jQuery versions affected by CVE-2020-11023 and related flaws CVE-2020-11022 and CVE-2019-11358.
Under BOD 22-01, Federal Civilian Executive Branch agencies must address this vulnerability by February 13, 2025, to protect their networks from potential threats.