The Cybersecurity and Infrastructure Security Agency (CISA) has added a previously patched jQuery vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The medium-severity vulnerability, tracked as CVE-2020-11023, affects the widely-used jQuery JavaScript library and could allow attackers to execute malicious code through cross-site scripting (XSS). The flaw carries a CVSS score between 6.1 and 6.9.
The security issue stems from how jQuery handles HTML containing
While CISA has not disclosed specific details about ongoing exploitation, security firm EclecticIQ reported in February 2024 that command-and-control servers involved in attacks against Ivanti appliances were running vulnerable versions of jQuery.
The vulnerability was originally patched in jQuery version 3.5.0, released in April 2020. Organizations can mitigate the risk by using DOMPurify with the SAFE_FOR_JQUERY flag enabled to sanitize HTML strings before passing them to jQuery methods.
Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must patch this vulnerability by February 13, 2025, to protect their networks from potential attacks.
This addition to the KEV catalog highlights the persistent risk of older vulnerabilities, as threat actors continue to exploit known security flaws long after patches become available.