Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

jQuery XSS via DOM manipulation of untrusted HTML containing <option> elements

IdentifiersCVE-2020-11023CWE-79· Improper Neutralization of Input…

In jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing <option> elements from untrusted sources to jQuery DOM manipulation methods such as .html(), .append(), and related APIs can result in execution of untrusted script in the browser. The issue persists even when the HTML has been sanitized in ways that are not safe for jQuery’s parsing behavior. The vulnerability is an improper neutralization of untrusted input during client-side HTML handling, leading to a cross-site scripting condition. The issue was patched in jQuery 3.5.0.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in cross-site scripting in the security context of the affected web application. An attacker can execute arbitrary JavaScript in a victim’s browser, which may enable session theft, DOM manipulation, credential capture, unauthorized actions as the victim, and access to sensitive data exposed to the page context. The content also notes evidence of active exploitation and that CVE-2020-11023 was added to CISA’s KEV catalog in January 2025.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid passing attacker-controlled or untrusted HTML strings to jQuery DOM manipulation methods including .html() and .append(). The provided content specifically recommends sanitizing HTML with DOMPurify using the SAFE_FOR_JQUERY option before handing it to jQuery. Additional exposure reduction includes enforcing strict input handling and CSP, but these are compensating controls rather than a fix.

Remediation

Patch, then assume compromise.

Upgrade jQuery to version 3.5.0 or later. Where applicable, downstream packages that bundle jQuery should be updated to vendor-fixed releases; the provided content specifically notes jquery-rails 4.4.0 or later as fixed, and examples of products remediating the issue by upgrading bundled jQuery to newer versions such as 3.7.1.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).

VALID 2 / 6 TOTALView more in app
towaos-lab-cve-2020-11023MaturityPoCVerified exploit

This repository is a proof-of-concept (POC) environment for demonstrating CVE-2020-11023, a cross-site scripting (XSS) vulnerability in jQuery 3.4.1. The repository contains a Dockerfile and docker-compose.yml for easy setup of a vulnerable PHP web application. The main application (src/index.php) accepts user input via POST and directly injects it into the DOM using jQuery's .html() method, which is vulnerable to XSS. The README provides example payloads and mitigation strategies. The application is intended for educational and testing purposes only, and should not be used in production. The main exploit capability is browser-based XSS via injection of arbitrary JavaScript. The main endpoints are the local web server (http://localhost:8080) and the externally loaded jQuery library.

towaosDisclosed Dec 2, 2025phpyamlbrowser
CVE-2020-11022-CVE-2020-11023MaturityPoCVerified exploit

This repository is a proof-of-concept exploit for CVE-2020-11022 and CVE-2020-11023, which are cross-site scripting (XSS) vulnerabilities in jQuery versions prior to 3.5.0. The repository contains two files: a README.md with detailed exploitation instructions and an index.php file that serves as a vulnerable web application. The exploit demonstrates how an attacker can inject arbitrary JavaScript via the 'value' URL parameter, leading to XSS and cookie theft. The attack is performed by hosting index.php on a PHP webserver with a vulnerable jQuery version, then visiting a crafted URL and triggering DOM manipulation via a button. The exploit also shows how to exfiltrate cookies to an attacker-controlled server. The repository is structured as a simple, educational POC and does not include weaponized or automated exploitation features.

0xAJ2KDisclosed Oct 16, 2021phpjavascriptbrowser
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AdobeAdobe Experience Managerapplication
DebianDebian Linuxoperating_system
DrupalDrupalapplication
Fedora ProjectFedoraoperating_system
JqueryJqueryapplication
JqueryJquery-Railsapplication
Mitsubishi Electric CorporationEcowebserveriiiapplication
NetAppActive Iq Unified Managerapplication
NetAppCloud Backupapplication
NetAppCloud Insights Storage Workload Security Agentapplication
NetAppH300e Firmwareoperating_system
NetAppH300s Firmwareoperating_system
NetAppH410c Firmwareoperating_system
NetAppH410s Firmwareoperating_system
NetAppH500e Firmwareoperating_system
NetAppH500s Firmwareoperating_system
NetAppH700e Firmwareoperating_system
NetAppH700s Firmwareoperating_system
NetAppHci Baseboard Management Controllerapplication
NetAppMax Dataapplication
NetAppOncommand Insightapplication
NetAppOncommand System Managerapplication
NetAppSnap Creator Frameworkapplication
NetAppSnapcenter Serverapplication
OracleApplication Expressapplication
OracleApplication Testing Suiteapplication
OracleBanking Enterprise Collectionsapplication
OracleBanking Platformapplication
OracleBlockchain Platformapplication
OracleBusiness Intelligenceapplication
OracleCommunications Analyticsapplication
OracleCommunications Eagle Application Processorapplication
OracleCommunications Element Managerapplication
OracleCommunications Interactive Session Recorderapplication
OracleCommunications Operations Monitorapplication
OracleCommunications Services Gatekeeperapplication
OracleCommunications Session Report Managerapplication
OracleCommunications Session Route Managerapplication
OracleFinancial Services Regulatory Reporting For De Nederlandsche Bankapplication
OracleFinancial Services Revenue Management And Billing Analyticsapplication
OracleHealth Sciences Informapplication
OracleHealthcare Translational Researchapplication
OracleHyperion Financial Reportingapplication
OracleJd Edwards Enterpriseone Orchestratorapplication
OracleJd Edwards Enterpriseone Toolsapplication
OracleOss Support Toolsapplication
OraclePeoplesoft Enterprise Human Capital Management Resourcesapplication
OraclePrimavera Gatewayapplication
OracleRest Data Servicesapplication
OracleSiebel Mobileapplication
OracleStoragetek Acslsapplication
OracleStoragetek Tape Analytics Sw Toolapplication
OracleWebcenter Sitesapplication
OracleWeblogic Serverapplication
TenableLog Correlation Engineapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
scworldNews
Feb 26, 2026
Open-source vulnerabilities per codebase surge by 107% | news | SC Media

A medium-severity cross-site scripting (XSS) vulnerability in jQuery; noted as prevalent in codebases and listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

jQuery cross-site scripting vulnerability; added to CISA KEV indicating active exploitation.

Read more
ibmNews
Feb 20, 2021
Security Bulletin: Multiple vulnerability issues affect IBM Spectrum Conductor 2.5.0

A cross-site scripting vulnerability in jQuery related to improper validation of option elements.

Read more
adobe-security-bulletinsNews
Jul 9, 2019
Adobe Security Bulletin

A vulnerability in the jQuery dependency (as used by Adobe Experience Manager) described as enabling arbitrary code execution, affecting AEM 6.5.7.0 and earlier.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2020-11023
NVD
nvd.nist.gov/vuln/detail/CVE-2020-11023
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Patch
oracle.com//security-alerts/cpujul2021.html
Patch
oracle.com/security-alerts/cpuApr2021.html
Patch
oracle.com/security-alerts/cpuapr2022.html
Patch
oracle.com/security-alerts/cpujan2022.html
Patch
oracle.com/security-alerts/cpuoct2021.html
Vendor Advisory
blog.jquery.com/2020/04/10/jquery-3-5-0-released
Vendor Advisory
jquery.com/upgrade-guide/3.5
Third Party Advisory
packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html
Third Party Advisory
github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json
+55 more references
view more in app