Cyber security news for all

More

    CISA Highlights Years-Old jQuery XSS Vulnerability in Exploitation Registry

    On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included a previously patched security loophole in the widely-used jQuery JavaScript library within its Known Exploited Vulnerabilities (KEV) catalog. This action stems from substantiated evidence of its active exploitation in real-world scenarios.

    The vulnerability in question, tagged as CVE-2020-11023 with a CVSS severity score of 6.1 to 6.9, is a cross-site scripting (XSS) flaw that dates back almost five years. Exploiting this defect allows attackers to execute arbitrary code, posing a significant risk to systems relying on outdated jQuery versions.

    A GitHub advisory addressing the flaw elucidates the issue, stating: “Supplying HTML containing <option> elements from unreliable origins—even post-sanitization—to any of jQuery’s DOM manipulation functions (such as .html() or .append()) could result in the execution of unauthorized code.”

    The problem was mitigated in jQuery version 3.5.0, released in April 2020. For systems unable to upgrade, a feasible workaround entails employing DOMPurify with the SAFE_FOR_JQUERY flag enabled to cleanse the HTML string prior to interaction with jQuery methods.

    True to CISA’s standard practice, their advisory remains sparse regarding the exact exploitation methodologies or the identities of adversaries leveraging this flaw. Publicly available information on concrete attacks utilizing this vulnerability is equally elusive.

    However, Dutch cybersecurity entity EclecticIQ disclosed in February 2024 that a malicious campaign targeting vulnerabilities in Ivanti appliances operated using a compromised jQuery version. This particular version was susceptible to CVE-2020-11023 and its related flaws, CVE-2020-11022 and CVE-2019-11358, suggesting their potential exploitation within the attack chain.

    Under the stipulations of Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are urged to rectify this vulnerability by February 13, 2025. This directive aims to fortify their networks against active and ongoing threats stemming from the exploitation of this flaw.

    Recent Articles

    Related Stories