CVE-2020-7656

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Published: May 19, 2020
Updated: Jun 14, 2023
CVE: CVE-2020-7656
GHSA: GHSA-q4m3-2j7h-f7xw
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
jquery / jquery	-	1.9.0
jquery	-	1.9.0
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
netapp / oncommand_system_manager	3.0.0	3.1.3.x
juniper / junos	21.2	21.2.x

https://security.netapp.com/advisory/ntap-20200528-0001/
https://snyk.io/vuln/SNYK-JS-JQUERY-569619
https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US
https://www.npmjs.com/advisories/1524
https://www.oracle.com/security-alerts/cpujul2022.html

Vulnerability Database

289,599

CVE-2020-7656