jQuery 至 3.4.x html 跨站点脚本漏洞

admin

0
文章

0
评论

2023-12-01 21:51:50 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

低危 jQuery 至 3.4.x html 跨站点脚本漏洞

CVE编号

CVE-2020-11022

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2020-04-30

漏洞描述

jQuery是美国John Resig程序员的一套开源、跨浏览器的JavaScript库。该库简化了HTML与JavaScript之间的操作，并具有模块化、插件扩展等特点。 jQuery 1.2版本至3.5.0之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

解决建议

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

参考链接
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
https://jquery.com/upgrade-guide/3.5/
https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba...
https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3...
https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442ee...
https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b...
https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bc...
https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc...
https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373c...
https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed7095448...
https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677b...
https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68...
https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea365005...
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202007-03
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2020-10
https://www.tenable.com/security/tns-2020-11
https://www.tenable.com/security/tns-2021-02
https://www.tenable.com/security/tns-2021-10

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	drupal	drupal	*	From (including) 7.0	Up to (excluding) 7.70
	运行在以下环境
	应用	drupal	drupal	*	From (including) 8.7.0	Up to (excluding) 8.7.14
	运行在以下环境
	应用	drupal	drupal	*	From (including) 8.8.0	Up to (excluding) 8.8.6
	运行在以下环境
	应用	jquery	jquery	*	From (including) 1.2	Up to (excluding) 3.5.0
	运行在以下环境
	应用	netapp	oncommand_insight	-	-
	运行在以下环境
	应用	netapp	oncommand_system_manager	*	From (including) 3.0	Up to (including) 3.1.3
	运行在以下环境
	应用	netapp	snapcenter	-	-
	运行在以下环境
	应用	netapp	snap_creator_framework	-	-
	运行在以下环境
	应用	opensuse	backports_sle	15.0	-
	运行在以下环境
	应用	oracle	agile_product_supplier_collaboration_for_process	6.2.0.0	-
	运行在以下环境
	应用	oracle	application_testing_suite	13.3.0.1	-
	运行在以下环境
	应用	oracle	banking_digital_experience	18.1	-
	运行在以下环境
	应用	oracle	banking_digital_experience	18.2	-
	运行在以下环境
	应用	oracle	banking_digital_experience	18.3	-
	运行在以下环境
	应用	oracle	banking_digital_experience	19.1	-
	运行在以下环境
	应用	oracle	banking_digital_experience	19.2	-
	运行在以下环境
	应用	oracle	banking_digital_experience	20.1	-
	运行在以下环境
	应用	oracle	communications_application_session_controller	3.8m0	-
	运行在以下环境
	应用	oracle	communications_billing_and_revenue_management	12.0.0.3.0	-
	运行在以下环境
	应用	oracle	communications_billing_and_revenue_management	7.5.0.23.0	-
	运行在以下环境
	应用	oracle	communications_diameter_signaling_router_idih~	*	From (including) 8.0.0	Up to (including) 8.2.2
	运行在以下环境
	应用	oracle	communications_webrtc_session_controller	7.2	-
	运行在以下环境
	应用	oracle	enterprise_manager_ops_center	12.4.0.0	-
	运行在以下环境
	应用	oracle	enterprise_session_border_controller	8.4	-
	运行在以下环境
	应用	oracle	financial_services_analytical_applications_infrastructure	*	From (including) 8.0.6.0.0	Up to (including) 8.1.0.0.0
	运行在以下环境
	应用	oracle	financial_services_analytical_applications_reconciliation_framework	*	From (including) 8.0.6	Up to (including) 8.0.8
	运行在以下环境
	应用	oracle	financial_services_analytical_applications_reconciliation_framework	8.1.0	-
	运行在以下环境
	应用	oracle	financial_services_asset_liability_management	8.0.6	-
	运行在以下环境
	应用	oracle	financial_services_asset_liability_management	8.0.7	-
	运行在以下环境
	应用	oracle	financial_services_asset_liability_management	8.1.0	-
	运行在以下环境
	应用	oracle	financial_services_balance_sheet_planning	8.0.8	-
	运行在以下环境
应用	oracle	financial_services_basel_regulatory_capital_basic	*	From (including) 8.0.6	Up to (including) 8.0.8
运行在以下环境
应用	oracle	financial_services_basel_regulatory_capital_basic	8.1.0	-
运行在以下环境
应用	oracle	financial_services_basel_regulatory_capital_internal_ratings_based_approach	*	From (including) 8.0.6	Up to (including) 8.0.8
运行在以下环境
应用	oracle	financial_services_basel_regulatory_capital_internal_ratings_based_approach	8.1.0	-
运行在以下环境
应用	oracle	financial_services_data_foundation	*	From (including) 8.0.6	Up to (including) 8.1.0
运行在以下环境
应用	oracle	financial_services_data_governance_for_us_regulatory_reporting	*	From (including) 8.0.6	Up to (including) 8.0.9
运行在以下环境
应用	oracle	financial_services_data_integration_hub	8.0.6	-
运行在以下环境
应用	oracle	financial_services_data_integration_hub	8.0.7	-
运行在以下环境
应用	oracle	financial_services_data_integration_hub	8.1.0	-
运行在以下环境
应用	oracle	financial_services_funds_transfer_pricing	8.0.6	-
运行在以下环境
应用	oracle	financial_services_funds_transfer_pricing	8.0.7	-
运行在以下环境
应用	oracle	financial_services_funds_transfer_pricing	8.1.0	-
运行在以下环境
应用	oracle	financial_services_hedge_management_and_ifrs_valuations	*	From (including) 8.0.6	Up to (including) 8.0.8
运行在以下环境
应用	oracle	financial_services_hedge_management_and_ifrs_valuations	8.1.0	-
运行在以下环境
应用	oracle	financial_services_institutional_performance_analytics	8.0.6	-
运行在以下环境
应用	oracle	financial_services_institutional_performance_analytics	8.0.7	-
运行在以下环境
应用	oracle	financial_services_institutional_performance_analytics	8.1.0	-
运行在以下环境
应用	oracle	financial_services_liquidity_risk_management	8.0.6	-
运行在以下环境
应用	oracle	financial_services_liquidity_risk_measurement_and_management	8.0.7	-
运行在以下环境
应用	oracle	financial_services_liquidity_risk_measurement_and_management	8.0.8	-
运行在以下环境
应用	oracle	financial_services_liquidity_risk_measurement_and_management	8.1.0	-
运行在以下环境
应用	oracle	financial_services_loan_loss_forecasting_and_provisioning	*	From (including) 8.0.6	Up to (including) 8.0.8
运行在以下环境
应用	oracle	financial_services_loan_loss_forecasting_and_provisioning	8.1.0	-
运行在以下环境
应用	oracle	financial_services_market_risk_measurement_and_management	8.0.6	-
运行在以下环境
应用	oracle	financial_services_market_risk_measurement_and_management	8.0.8	-
运行在以下环境
应用	oracle	financial_services_price_creation_and_discovery	8.0.6	-
运行在以下环境
应用	oracle	financial_services_price_creation_and_discovery	8.0.7	-
运行在以下环境
应用	oracle	financial_services_profitability_management	8.0.6	-
运行在以下环境
应用	oracle	financial_services_profitability_management	8.0.7	-
运行在以下环境
应用	oracle	financial_services_profitability_management	8.1.0	-
运行在以下环境
应用	oracle	financial_services_regulatory_reporting_for_european_banking_authority	*	From (including) 8.0.6	Up to (including) 8.1.0
运行在以下环境
应用	oracle	financial_services_regulatory_reporting_for_us_federal_reserve	*	From (including) 8.0.6	Up to (including) 8.0.9
运行在以下环境
应用	oracle	healthcare_foundation	7.1.1	-
运行在以下环境
应用	oracle	healthcare_foundation	7.2.0	-
运行在以下环境
应用	oracle	healthcare_foundation	7.2.1	-
运行在以下环境
应用	oracle	healthcare_foundation	7.3.0	-
运行在以下环境
应用	oracle	hospitality_materials_control	18.1	-
运行在以下环境
应用	oracle	hospitality_simphony	*	From (including) 19.1.0	Up to (including) 19.1.2
运行在以下环境
应用	oracle	hospitality_simphony	18.1	-
运行在以下环境
应用	oracle	hospitality_simphony	18.2	-
运行在以下环境
应用	oracle	insurance_accounting_analyzer	8.0.9	-
运行在以下环境
应用	oracle	insurance_allocation_manager_for_enterprise_profitability	8.0.8	-
运行在以下环境
应用	oracle	insurance_allocation_manager_for_enterprise_profitability	8.1.0	-
运行在以下环境
应用	oracle	insurance_data_foundation	*	From (including) 8.0.6	Up to (including) 8.1.0
运行在以下环境
应用	oracle	insurance_insbridge_rating_and_underwriting	*	From (including) 5.0.0.0	Up to (including) 5.6.0.0
运行在以下环境
应用	oracle	insurance_insbridge_rating_and_underwriting	5.6.1.0	-
运行在以下环境
应用	oracle	jdeveloper	11.1.1.9.0	-
运行在以下环境
应用	oracle	jdeveloper	12.2.1.3.0	-
运行在以下环境
应用	oracle	jdeveloper	12.2.1.4.0	-
运行在以下环境
应用	oracle	peoplesoft_enterprise_peopletools	8.56	-
运行在以下环境
应用	oracle	peoplesoft_enterprise_peopletools	8.57	-
运行在以下环境
应用	oracle	peoplesoft_enterprise_peopletools	8.58	-
运行在以下环境
应用	oracle	policy_automation	*	From (including) 12.2.0	Up to (including) 12.2.20
运行在以下环境
应用	oracle	policy_automation_connector_for_siebel	10.4.6	-
运行在以下环境
应用	oracle	policy_automation_for_mobile_devices	*	From (including) 12.2.0	Up to (including) 12.2.20
运行在以下环境
应用	oracle	retail_back_office	14.0	-
运行在以下环境
应用	oracle	retail_back_office	14.1	-
运行在以下环境
应用	oracle	retail_customer_management_and_segmentation_foundation	19.0	-
运行在以下环境
应用	oracle	retail_returns_management	14.0	-
运行在以下环境
应用	oracle	retail_returns_management	14.1	-
运行在以下环境
应用	oracle	siebel_ui_framework	20.8	-
运行在以下环境
应用	oracle	weblogic_server	10.3.6.0.0	-
运行在以下环境
应用	oracle	weblogic_server	12.1.3.0.0	-
运行在以下环境
应用	oracle	weblogic_server	12.2.1.3.0	-
运行在以下环境
应用	oracle	weblogic_server	12.2.1.4.0	-
运行在以下环境
应用	oracle	weblogic_server	14.1.1.0.0	-
运行在以下环境
系统	alibaba_cloud_linux_2.1903	ipa-server-common	*		Up to (excluding) 4.6.8-5.1.al7
运行在以下环境
系统	alpine_3.11	drupal7	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.12	drupal7	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.13	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.14	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.15	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.16	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.17	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_3.18	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	alpine_edge	cacti	*		Up to (excluding) 7.70-r0
运行在以下环境
系统	amazon_2	ipa	*		Up to (excluding) 4.6.8-5.amzn2
运行在以下环境
系统	centos_7	ipa	*		Up to (excluding) 4.6.8-5.el7
运行在以下环境
系统	centos_8	slapi-nis-debugsource	*		Up to (excluding) 2.10.0-1.module+el8.2.0+5059+3eb3af25
运行在以下环境
系统	debian	debian_linux	9.0	-
运行在以下环境
系统	debian_10	jquery	*		Up to (excluding) 3.3.1~dfsg-3+deb10u1
运行在以下环境
系统	debian_11	node-jquery	*		Up to (excluding) 3.5.0+dfsg-2
运行在以下环境
系统	debian_12	node-jquery	*		Up to (excluding) 3.5.0+dfsg-2
运行在以下环境
系统	debian_9	drupal7	*		Up to (excluding) 7.52-2+deb9u10
运行在以下环境
系统	debian_sid	node-jquery	*		Up to (excluding) 3.5.0+dfsg-2
运行在以下环境
系统	fedoraproject	fedora	31	-
运行在以下环境
系统	fedoraproject	fedora	32	-
运行在以下环境
系统	fedoraproject	fedora	33	-
运行在以下环境
系统	fedora_31	drupal7-rpmbuild	*		Up to (excluding) 7.72-1.fc31
运行在以下环境
系统	fedora_32	drupal7	*		Up to (excluding) 8.9.0-1.fc32
运行在以下环境
系统	fedora_33	drupal7-rpmbuild	*		Up to (excluding) 7.72-1.fc33
运行在以下环境
系统	fedora_EPEL_6	drupal7-rpmbuild	*		Up to (excluding) 7.72-1.el6
运行在以下环境
系统	fedora_EPEL_7	drupal7-rpmbuild	*		Up to (excluding) 7.72-1.el7
运行在以下环境
系统	netapp	h300e_firmware	-	-
运行在以下环境
系统	netapp	h300s_firmware	-	-
运行在以下环境
系统	netapp	h410c_firmware	-	-
运行在以下环境
系统	netapp	h410s_firmware	-	-
运行在以下环境
系统	netapp	h500e_firmware	-	-
运行在以下环境
系统	netapp	h500s_firmware	-	-
运行在以下环境
系统	netapp	h700e_firmware	-	-
运行在以下环境
系统	netapp	h700s_firmware	-	-
运行在以下环境
系统	opensuse	leap	15.1	-
运行在以下环境
系统	opensuse	leap	15.2	-
运行在以下环境
系统	opensuse_Leap_15.1	cacti	*		Up to (excluding) 6.0.30-bp152.2.11.1
运行在以下环境
系统	opensuse_Leap_15.2	cacti	*		Up to (excluding) 6.0.30-bp152.2.11.1
运行在以下环境
系统	oracle_7	oraclelinux-release	*		Up to (excluding) 4.6.8-5.0.1.el7
运行在以下环境
系统	oracle_8	oraclelinux-release	*		Up to (excluding) 2.6-21.module+el8.3.0+7697+44932688
运行在以下环境
系统	redhat_7	ipa-client	*		Up to (excluding) 4.6.8-5.el7
运行在以下环境
系统	redhat_8	slapi-nis-debugsource	*		Up to (excluding) 2.10.0-1.module+el8.2.0+5059+3eb3af25
运行在以下环境
硬件	netapp	h300e	-	-
运行在以下环境
硬件	netapp	h300s	-	-
运行在以下环境
硬件	netapp	h410c	-	-
运行在以下环境
硬件	netapp	h410s	-	-
运行在以下环境
硬件	netapp	h500e	-	-
运行在以下环境
硬件	netapp	h500s	-	-
运行在以下环境
硬件	netapp	h700e	-	-
运行在以下环境
硬件	netapp	h700s	-	-