jQuery DOM Manipulation Vulnerability: Untrusted Code Execution via <option> Elements

jQuery DOM Manipulation Vulnerability: Untrusted Code Execution via <option> Elements

CVE-2020-11023 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Learn more about our Web Application Penetration Testing UK.