低危 jQuery 至 3.4.x html 跨站点脚本漏洞

CVE编号

CVE-2020-11022

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2020-04-30
漏洞描述
jQuery是美国John Resig程序员的一套开源、跨浏览器的JavaScript库。该库简化了HTML与JavaScript之间的操作,并具有模块化、插件扩展等特点。 jQuery 1.2版本至3.5.0之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
参考链接
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
https://jquery.com/upgrade-guide/3.5/
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba...
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3...
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442ee...
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b...
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bc...
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc...
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373c...
https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed7095448...
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677b...
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68...
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea365005...
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202007-03
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2020-10
https://www.tenable.com/security/tns-2020-11
https://www.tenable.com/security/tns-2021-02
https://www.tenable.com/security/tns-2021-10
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 drupal drupal * From
(including)
7.0
Up to
(excluding)
7.70
运行在以下环境
应用 drupal drupal * From
(including)
8.7.0
Up to
(excluding)
8.7.14
运行在以下环境
应用 drupal drupal * From
(including)
8.8.0
Up to
(excluding)
8.8.6
运行在以下环境
应用 jquery jquery * From
(including)
1.2
Up to
(excluding)
3.5.0
运行在以下环境
应用 netapp oncommand_insight - -
运行在以下环境
应用 netapp oncommand_system_manager * From
(including)
3.0
Up to
(including)
3.1.3
运行在以下环境
应用 netapp snapcenter - -
运行在以下环境
应用 netapp snap_creator_framework - -
运行在以下环境
应用 opensuse backports_sle 15.0 -
运行在以下环境
应用 oracle agile_product_supplier_collaboration_for_process 6.2.0.0 -
运行在以下环境
应用 oracle application_testing_suite 13.3.0.1 -
运行在以下环境
应用 oracle banking_digital_experience 18.1 -
运行在以下环境
应用 oracle banking_digital_experience 18.2 -
运行在以下环境
应用 oracle banking_digital_experience 18.3 -
运行在以下环境
应用 oracle banking_digital_experience 19.1 -
运行在以下环境
应用 oracle banking_digital_experience 19.2 -
运行在以下环境
应用 oracle banking_digital_experience 20.1 -
运行在以下环境
应用 oracle communications_application_session_controller 3.8m0 -
运行在以下环境
应用 oracle communications_billing_and_revenue_management 12.0.0.3.0 -
运行在以下环境
应用 oracle communications_billing_and_revenue_management 7.5.0.23.0 -
运行在以下环境
应用 oracle communications_diameter_signaling_router_idih~ * From
(including)
8.0.0
Up to
(including)
8.2.2
运行在以下环境
应用 oracle communications_webrtc_session_controller 7.2 -
运行在以下环境
应用 oracle enterprise_manager_ops_center 12.4.0.0 -
运行在以下环境
应用 oracle enterprise_session_border_controller 8.4 -
运行在以下环境
应用 oracle financial_services_analytical_applications_infrastructure * From
(including)
8.0.6.0.0
Up to
(including)
8.1.0.0.0
运行在以下环境
应用 oracle financial_services_analytical_applications_reconciliation_framework * From
(including)
8.0.6
Up to
(including)
8.0.8
运行在以下环境
应用 oracle financial_services_analytical_applications_reconciliation_framework 8.1.0 -
运行在以下环境
应用 oracle financial_services_asset_liability_management 8.0.6 -
运行在以下环境
应用 oracle financial_services_asset_liability_management 8.0.7 -
运行在以下环境
应用 oracle financial_services_asset_liability_management 8.1.0 -
运行在以下环境
应用 oracle financial_services_balance_sheet_planning 8.0.8 -
运行在以下环境
应用 oracle financial_services_basel_regulatory_capital_basic * From
(including)
8.0.6
Up to
(including)
8.0.8
运行在以下环境
应用 oracle financial_services_basel_regulatory_capital_basic 8.1.0 -
运行在以下环境
应用 oracle financial_services_basel_regulatory_capital_internal_ratings_based_approach * From
(including)
8.0.6
Up to
(including)
8.0.8
运行在以下环境
应用 oracle financial_services_basel_regulatory_capital_internal_ratings_based_approach 8.1.0 -
运行在以下环境
应用 oracle financial_services_data_foundation * From
(including)
8.0.6
Up to
(including)
8.1.0
运行在以下环境
应用 oracle financial_services_data_governance_for_us_regulatory_reporting * From
(including)
8.0.6
Up to
(including)
8.0.9
运行在以下环境
应用 oracle financial_services_data_integration_hub 8.0.6 -
运行在以下环境
应用 oracle financial_services_data_integration_hub 8.0.7 -
运行在以下环境
应用 oracle financial_services_data_integration_hub 8.1.0 -
运行在以下环境
应用 oracle financial_services_funds_transfer_pricing 8.0.6 -
运行在以下环境
应用 oracle financial_services_funds_transfer_pricing 8.0.7 -
运行在以下环境
应用 oracle financial_services_funds_transfer_pricing 8.1.0 -
运行在以下环境
应用 oracle financial_services_hedge_management_and_ifrs_valuations * From
(including)
8.0.6
Up to
(including)
8.0.8
运行在以下环境
应用 oracle financial_services_hedge_management_and_ifrs_valuations 8.1.0 -
运行在以下环境
应用 oracle financial_services_institutional_performance_analytics 8.0.6 -
运行在以下环境
应用 oracle financial_services_institutional_performance_analytics 8.0.7 -
运行在以下环境
应用 oracle financial_services_institutional_performance_analytics 8.1.0 -
运行在以下环境
应用 oracle financial_services_liquidity_risk_management 8.0.6 -
运行在以下环境
应用 oracle financial_services_liquidity_risk_measurement_and_management 8.0.7 -
运行在以下环境
应用 oracle financial_services_liquidity_risk_measurement_and_management 8.0.8 -
运行在以下环境
应用 oracle financial_services_liquidity_risk_measurement_and_management 8.1.0 -
运行在以下环境
应用 oracle financial_services_loan_loss_forecasting_and_provisioning * From
(including)
8.0.6
Up to
(including)
8.0.8
运行在以下环境
应用 oracle financial_services_loan_loss_forecasting_and_provisioning 8.1.0 -
运行在以下环境
应用 oracle financial_services_market_risk_measurement_and_management 8.0.6 -
运行在以下环境
应用 oracle financial_services_market_risk_measurement_and_management 8.0.8 -
运行在以下环境
应用 oracle financial_services_price_creation_and_discovery 8.0.6 -
运行在以下环境
应用 oracle financial_services_price_creation_and_discovery 8.0.7 -
运行在以下环境
应用 oracle financial_services_profitability_management 8.0.6 -
运行在以下环境
应用 oracle financial_services_profitability_management 8.0.7 -
运行在以下环境
应用 oracle financial_services_profitability_management 8.1.0 -
运行在以下环境
应用 oracle financial_services_regulatory_reporting_for_european_banking_authority * From
(including)
8.0.6
Up to
(including)
8.1.0
运行在以下环境
应用 oracle financial_services_regulatory_reporting_for_us_federal_reserve * From
(including)
8.0.6
Up to
(including)
8.0.9
运行在以下环境
应用 oracle healthcare_foundation 7.1.1 -
运行在以下环境
应用 oracle healthcare_foundation 7.2.0 -
运行在以下环境
应用 oracle healthcare_foundation 7.2.1 -
运行在以下环境
应用 oracle healthcare_foundation 7.3.0 -
运行在以下环境
应用 oracle hospitality_materials_control 18.1 -
运行在以下环境
应用 oracle hospitality_simphony * From
(including)
19.1.0
Up to
(including)
19.1.2
运行在以下环境
应用 oracle hospitality_simphony 18.1 -
运行在以下环境
应用 oracle hospitality_simphony 18.2 -
运行在以下环境
应用 oracle insurance_accounting_analyzer 8.0.9 -
运行在以下环境
应用 oracle insurance_allocation_manager_for_enterprise_profitability 8.0.8 -
运行在以下环境
应用 oracle insurance_allocation_manager_for_enterprise_profitability 8.1.0 -
运行在以下环境
应用 oracle insurance_data_foundation * From
(including)
8.0.6
Up to
(including)
8.1.0
运行在以下环境
应用 oracle insurance_insbridge_rating_and_underwriting * From
(including)
5.0.0.0
Up to
(including)
5.6.0.0
运行在以下环境
应用 oracle insurance_insbridge_rating_and_underwriting 5.6.1.0 -
运行在以下环境
应用 oracle jdeveloper 11.1.1.9.0 -
运行在以下环境
应用 oracle jdeveloper 12.2.1.3.0 -
运行在以下环境
应用 oracle jdeveloper 12.2.1.4.0 -
运行在以下环境
应用 oracle peoplesoft_enterprise_peopletools 8.56 -
运行在以下环境
应用 oracle peoplesoft_enterprise_peopletools 8.57 -
运行在以下环境
应用 oracle peoplesoft_enterprise_peopletools 8.58 -
运行在以下环境
应用 oracle policy_automation * From
(including)
12.2.0
Up to
(including)
12.2.20
运行在以下环境
应用 oracle policy_automation_connector_for_siebel 10.4.6 -
运行在以下环境
应用 oracle policy_automation_for_mobile_devices * From
(including)
12.2.0
Up to
(including)
12.2.20
运行在以下环境
应用 oracle retail_back_office 14.0 -
运行在以下环境
应用 oracle retail_back_office 14.1 -
运行在以下环境
应用 oracle retail_customer_management_and_segmentation_foundation 19.0 -
运行在以下环境
应用 oracle retail_returns_management 14.0 -
运行在以下环境
应用 oracle retail_returns_management 14.1 -
运行在以下环境
应用 oracle siebel_ui_framework 20.8 -
运行在以下环境
应用 oracle weblogic_server 10.3.6.0.0 -
运行在以下环境
应用 oracle weblogic_server 12.1.3.0.0 -
运行在以下环境
应用 oracle weblogic_server 12.2.1.3.0 -
运行在以下环境
应用 oracle weblogic_server 12.2.1.4.0 -
运行在以下环境
应用 oracle weblogic_server 14.1.1.0.0 -
运行在以下环境
系统 alibaba_cloud_linux_2.1903 ipa * Up to
(excluding)
4.6.8-5.1.al7
运行在以下环境
系统 alpine_3.11 drupal7 * Up to
(excluding)
7.70-r0
运行在以下环境
系统 alpine_3.12 drupal7 * Up to
(excluding)
7.70-r0
运行在以下环境
系统 alpine_3.13 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.14 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.15 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.16 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.17 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.18 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.19 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 amazon_2 ipa * Up to
(excluding)
4.6.8-5.amzn2
运行在以下环境
系统 centos_7 ipa-server * Up to
(excluding)
4.6.8-5.el7
运行在以下环境
系统 debian debian_linux 9.0 -
运行在以下环境
系统 debian_11 otrs2 * Up to
(excluding)
3.5.0+dfsg-2
运行在以下环境
系统 debian_12 node-jquery * Up to
(excluding)
3.5.0+dfsg-2
运行在以下环境
系统 debian_9 jquery * Up to
(excluding)
7.52-2+deb9u10
运行在以下环境
系统 fedoraproject fedora 31 -
运行在以下环境
系统 fedoraproject fedora 32 -
运行在以下环境
系统 fedoraproject fedora 33 -
运行在以下环境
系统 fedora_31 drupal7 * Up to
(excluding)
7.72-1.fc31
运行在以下环境
系统 fedora_32 drupal7 * Up to
(excluding)
7.72-1.fc32
运行在以下环境
系统 fedora_33 drupal7 * Up to
(excluding)
7.72-1.fc33
运行在以下环境
系统 fedora_EPEL_6 drupal7 * Up to
(excluding)
7.72-1.el6
运行在以下环境
系统 fedora_EPEL_7 drupal7 * Up to
(excluding)
7.72-1.el7
运行在以下环境
系统 netapp h300e_firmware - -
运行在以下环境
系统 netapp h300s_firmware - -
运行在以下环境
系统 netapp h410c_firmware - -
运行在以下环境
系统 netapp h410s_firmware - -
运行在以下环境
系统 netapp h500e_firmware - -
运行在以下环境
系统 netapp h500s_firmware - -
运行在以下环境
系统 netapp h700e_firmware - -
运行在以下环境
系统 netapp h700s_firmware - -
运行在以下环境
系统 opensuse leap 15.1 -
运行在以下环境
系统 opensuse leap 15.2 -
运行在以下环境
系统 opensuse_Leap_15.1 otrs * Up to
(excluding)
6.0.30-bp152.2.11.1
运行在以下环境
系统 opensuse_Leap_15.2 otrs * Up to
(excluding)
6.0.30-bp152.2.11.1
运行在以下环境
系统 oracle_7 jquery-ui * Up to
(excluding)
1.10.4.custom-4.0.1.el7
运行在以下环境
系统 redhat_7 ipa-server * Up to
(excluding)
4.6.8-5.el7
运行在以下环境
硬件 netapp h300e - -
运行在以下环境
硬件 netapp h300s - -
运行在以下环境
硬件 netapp h410c - -
运行在以下环境
硬件 netapp h410s - -
运行在以下环境
硬件 netapp h500e - -
运行在以下环境
硬件 netapp h500s - -
运行在以下环境
硬件 netapp h700e - -
运行在以下环境
硬件 netapp h700s - -
阿里云评分
3.7
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    POC 已公开
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    传输被破坏
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-79 在Web页面生成时对输入的转义处理不恰当(跨站脚本)
阿里云安全产品覆盖情况