低危 jQuery 至 3.4.x html 跨站点脚本漏洞

CVE编号

CVE-2020-11023

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2020-04-30
漏洞描述
jQuery是美国John Resig程序员的一套开源、跨浏览器的JavaScript库。该库简化了HTML与JavaScript之间的操作,并具有模块化、插件扩展等特点。 jQuery 1.0.3版本至3.5.0之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

解决建议
厂商已发布了漏洞修复程序,请及时关注更新:
https://jquery.com/upgrade-guide/3.5/
参考链接
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
https://jquery.com/upgrade-guide/3.5/
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba...
https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a4671...
https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e...
https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d5...
https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff...
https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfd...
https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736...
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3...
https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d...
https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a9027258...
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442ee...
https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae...
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b...
https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8...
https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807...
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bc...
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc...
https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095...
https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8...
https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f...
https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3...
https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf61...
https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79...
https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc277...
https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f560411357351...
https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a02...
https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9d...
https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e...
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373c...
https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2db...
https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1...
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677b...
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68...
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea365005...
https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d83...
https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a342...
https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebe...
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202007-03
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2021-02
https://www.tenable.com/security/tns-2021-10
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 jquery jquery * From
(including)
1.0.3
Up to
(excluding)
3.5.0
运行在以下环境
系统 alibaba_cloud_linux_2.1903 pcs * Up to
(excluding)
0.9.169-3.1.al7.3
运行在以下环境
系统 alma_linux_8 pcs * Up to
(excluding)
0.10.10-4.el8.alma
运行在以下环境
系统 alpine_3.11 drupal7 * Up to
(excluding)
7.70-r0
运行在以下环境
系统 alpine_3.12 drupal7 * Up to
(excluding)
7.70-r0
运行在以下环境
系统 alpine_3.13 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.14 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.15 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.16 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.17 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.18 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 alpine_3.19 cacti * Up to
(excluding)
1.2.13-r0
运行在以下环境
系统 amazon_2 ipa * Up to
(excluding)
4.6.8-5.amzn2.4.1
运行在以下环境
系统 anolis_os_7 pcs * Up to
(excluding)
0.9.169-3
运行在以下环境
系统 centos_7 ipa-server * Up to
(excluding)
4.6.8-5.el7.centos.9
运行在以下环境
系统 debian_11 otrs2 * Up to
(excluding)
3.5.0+dfsg-2
运行在以下环境
系统 debian_12 node-jquery * Up to
(excluding)
3.5.0+dfsg-2
运行在以下环境
系统 debian_9 jquery * Up to
(excluding)
7.52-2+deb9u10
运行在以下环境
系统 fedora_31 drupal7 * Up to
(excluding)
7.72-1.fc31
运行在以下环境
系统 fedora_32 drupal7 * Up to
(excluding)
7.72-1.fc32
运行在以下环境
系统 fedora_33 drupal7 * Up to
(excluding)
7.72-1.fc33
运行在以下环境
系统 fedora_EPEL_6 drupal7 * Up to
(excluding)
7.72-1.el6
运行在以下环境
系统 fedora_EPEL_7 drupal7 * Up to
(excluding)
7.72-1.el7
运行在以下环境
系统 opensuse_Leap_15.1 otrs * Up to
(excluding)
6.0.30-bp152.2.11.1
运行在以下环境
系统 opensuse_Leap_15.2 otrs * Up to
(excluding)
6.0.30-bp152.2.11.1
运行在以下环境
系统 oracle_7 jquery-ui * Up to
(excluding)
1.10.4.custom-4.0.1.el7
运行在以下环境
系统 oracle_8 pcs * Up to
(excluding)
0.10.10-4.0.1.el8
运行在以下环境
系统 redhat_7 ipa-server * Up to
(excluding)
4.6.8-5.el7_9.4
运行在以下环境
系统 rocky_linux_8 pcs * Up to
(excluding)
0.10.10-4.el8
阿里云评分
3.7
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    POC 已公开
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    传输被破坏
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-79 在Web页面生成时对输入的转义处理不恰当(跨站脚本)
阿里云安全产品覆盖情况