CVE-2020-11022 PoC — jQuery 跨站脚本漏洞

Source

https://github.com/Snorlyd/https-nj.gov---CVE-2020-11022

Associated Vulnerability

Title:jQuery 跨站脚本漏洞 (CVE-2020-11022)
Description:jQuery是美国John Resig个人开发者的一套开源、跨浏览器的JavaScript库。该库简化了HTML与JavaScript之间的操作，并具有模块化、插件扩展等特点。 jQuery 1.2版本至3.5.0之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Description

Vulnearability Report of the New Jersey official site

Readme

# https-nj.gov---CVE-2020-11022
#### Vulnearability Report of the New Jersey official site
Potential XSS vulnerability in jQuery.htmlPrefilter and related methods.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
# RECOMMENDATION
This problem is patched in jQuery 3.5.0; Therefore, it would only be necessary to update it.

To fix this bug without updating it, we can add the following code:
 
```
  jQuery.htmlPrefilter = function( html ) {
    return html;
  };
  ```
##### At least jQuery 1.12/2.2 or later is required to apply this workaround.
# REFERENCES
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

##### For more information
If you have any questions or comments about this advisory, search for a relevant issue in the [jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.

File Snapshot


 [4.0K]  /data/pocs/a178801738204db30268e6a45521614182349aed
└── [1009]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!