gsd-2020-23064
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.
Aliases
Aliases
{ GSD: { alias: "CVE-2020-23064", id: "GSD-2020-23064", }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2020-23064", ], details: "Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.", id: "GSD-2020-23064", modified: "2023-12-13T01:22:02.513871Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-23064", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", refsource: "MISC", url: "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", }, { name: "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", }, { name: "https://security.netapp.com/advisory/ntap-20230725-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20230725-0003/", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "<4.4.0", affected_versions: "All versions before 4.4.0", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", cwe_ids: [ "CWE-1035", "CWE-78", "CWE-79", "CWE-937", ], date: "2023-07-13", description: "Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.", fixed_versions: [ "4.4.0", ], identifier: "CVE-2020-23064", identifiers: [ "GHSA-257q-pv89-v3xv", "CVE-2020-23064", ], not_impacted: "All versions starting from 4.4.0", package_slug: "gem/jquery-rails", pubdate: "2023-06-26", solution: "Upgrade to version 4.4.0 or above.", title: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2020-23064", "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440", "https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979", "https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162", "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml", "https://github.com/advisories/GHSA-257q-pv89-v3xv", ], uuid: "b05a62b1-9cc0-4a85-93fc-6f9fd15ea9b6", }, { affected_range: ">=1.0.3 <3.5.0", affected_versions: "All versions starting from 1.0.3 before 3.5.0", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", cwe_ids: [ "CWE-1035", "CWE-78", "CWE-79", "CWE-937", ], date: "2023-07-13", description: "Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.", fixed_versions: [ "3.5.0", ], identifier: "CVE-2020-23064", identifiers: [ "GHSA-257q-pv89-v3xv", "CVE-2020-23064", ], not_impacted: "All versions before 1.0.3, all versions starting from 3.5.0", package_slug: "npm/jquery", pubdate: "2023-06-26", solution: "Upgrade to version 3.5.0 or above.", title: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2020-23064", "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440", "https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979", "https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162", "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml", "https://github.com/advisories/GHSA-257q-pv89-v3xv", ], uuid: "02840a8e-ab57-4a58-8d70-7395a62b4665", }, { affected_range: "[1.0.3,3.5.0)", affected_versions: "All versions starting from 1.0.3 before 3.5.0", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", cwe_ids: [ "CWE-1035", "CWE-78", "CWE-79", "CWE-937", ], date: "2023-07-13", description: "Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.", fixed_versions: [ "3.5.0", ], identifier: "CVE-2020-23064", identifiers: [ "GHSA-257q-pv89-v3xv", "CVE-2020-23064", ], not_impacted: "All versions before 1.0.3, all versions starting from 3.5.0", package_slug: "nuget/jQuery", pubdate: "2023-06-26", solution: "Upgrade to version 3.5.0 or above.", title: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2020-23064", "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440", "https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979", "https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162", "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml", "https://github.com/advisories/GHSA-257q-pv89-v3xv", ], uuid: "156a1d6e-ced8-4449-a243-c56bcfcd80da", }, ], }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*", matchCriteriaId: "8BE6EB8F-B9E9-4B1C-B74E-E577348632E2", versionEndExcluding: "3.5.0", versionStartIncluding: "2.2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:brocade_san_navigator:-:*:*:*:*:*:*:*", matchCriteriaId: "25FA7A4D-B0E2-423E-8146-E221AE2D6120", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", matchCriteriaId: "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*", matchCriteriaId: "FDAC85F0-93AF-4BE3-AE1A-8ADAF1CDF9AB", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:virtual_desktop_service:-:*:*:*:*:*:*:*", matchCriteriaId: "7E92E0F6-336C-4321-9471-08E93616D247", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.", }, ], id: "CVE-2020-23064", lastModified: "2024-04-01T15:43:36.933", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-06-26T19:15:09.450", references: [ { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20230725-0003/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }, }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.