CISA Adds a Five-Year-Old XSS Flaw to the Roster of Exploited Risks

Jan 24, 2025Ravie LakshmananVulnerability / JavaScript

According to evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) on Thursday reported a security flaw that has been fixed that has affected the well-known jQuery JavaScript library’s Known Exploited Vulnerabilities ( ) catalog.

The medium-severity vulnerability is ( CVSS score: 6.1/6.9 ), a nearly five-year-old cross-site scripting ( XSS) bug that could be exploited to achieve arbitrary code execution.

” Passing HTML containing &lt, option&gt, elements from untrusted sources- even after sanitizing them- to one of jQuery’s DOM manipulation methods ( i. e ..html ( ), .append ( ), and others ) may execute untrusted code”, according to a released for the flaw.

The issue was fixed in plugin type 3.5.0, which was released in April 2020. The use of with the SAFE_FOR_JQUERY symbol set to purify the HTML series before calling a jQuery method is a workaround for CVE-2020-11023.

The CISA advice is usually based on specifics about the specific character of exploitation and the identity of threat actors who are attempting to exploit the weakness. There haven’t been any new reports in the media that reveal problems that use the issue.

That said, there are reports that vulnerability has been exploited by threat actors like APT1 (aka Brown Fox and Comment Panda ) and (aka Brown Worm and Emissary Panda ), per reports from and .

Dutch security firm EclecticIQ also in February 2024 that the command-and-control ( C2 ) addresses associated with a exploiting security flaws in Ivanti appliances ran a version of JQuery that was susceptible to at least one of the three flaws, CVE-2020-11023, , and .

Federal Civilian Executive Branch (FCEB ) agencies are advised to fix the identified flaw by February 13th, 2025 in accordance with Binding Operational Directive ( BOD ) 22-01 to protect their networks from active threats.

( The article was updated after publication to include references to reports highlighting CVE-2020-11023 exploitation. )

Found this post exciting? Following us on and Twitter to access more unique content.

DNS checker

Leave a Comment