The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a now-patched security flaw in the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion follows evidence of the flaw being actively exploited in real-world scenarios.
The vulnerability, identified as CVE-2020-11023, is a medium-severity cross-site scripting (XSS) bug with a CVSS score of 6.1 to 6.9. Despite being discovered nearly five years ago, it still poses a risk, as it allows attackers to execute arbitrary code on targeted systems.
Details of CVE-2020-11023
According to a GitHub advisory, the vulnerability occurs when HTML containing <option> elements from untrusted sources is passed to one of jQuery's DOM manipulation methods, such as .html() or .append(). Even after basic sanitization, this could lead to the execution of untrusted code.
The issue was patched in jQuery version 3.5.0, released in April 2020. As a workaround, developers can use the DOMPurify library with the SAFE_FOR_JQUERY flag to sanitize HTML strings before passing them to jQuery methods.
Active Exploitation and Threat Actor Activity
Although CISA's advisory does not provide detailed information about specific exploitation campaigns or the threat actors involved, reports suggest that APT1 (Brown Fox/Comment Panda) and APT27 (Brown Worm/Emissary Panda) have leveraged this vulnerability.
In February 2024, Dutch security firm EclecticIQ reported that attackers exploited security flaws, including CVE-2020-11023, in Ivanti appliances. These campaigns were linked to command-and-control (C2) addresses running vulnerable versions of jQuery. Other flaws, such as CVE-2020-11022 and CVE-2019-11358, were also flagged in this context.
Federal Agencies Urged to Act
In line with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to address CVE-2020-11023 by February 13, 2025. This measure aims to mitigate potential threats and strengthen network defenses against active exploits.
Key Takeaways
- Ensure your systems are running jQuery 3.5.0 or later to avoid this vulnerability.
- Use DOMPurify or similar tools to sanitize untrusted HTML before passing it to jQuery methods.
- Stay informed about vulnerabilities in third-party libraries and update them regularly.
By addressing this long-standing vulnerability, organizations can reduce their exposure to potential attacks and safeguard critical infrastructure.