Search for vulnerabilities
Vulnerability details: VCID-54hw-cf5y-aaaj
Vulnerability ID VCID-54hw-cf5y-aaaj
Aliases CVE-2020-23064
GHSA-257q-pv89-v3xv
Summary Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.
Status Invalid
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-23064.json
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
epss 0.00049 https://api.first.org/data/v1/epss?cve=CVE-2020-23064
cvssv3 6.9 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
cvssv3.1 6.1 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
generic_textual MODERATE https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
cvssv3 6.1 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-257q-pv89-v3xv
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
cvssv3.1 6.1 https://github.com/jquery/jquery
generic_textual MODERATE https://github.com/jquery/jquery
cvssv3.1 6.1 https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
generic_textual MODERATE https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
cvssv3.1 6.1 https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
generic_textual MODERATE https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
cvssv3.1 6.1 https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
generic_textual MODERATE https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
cvssv3.1 6.1 https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
generic_textual MODERATE https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
cvssv3.1 6.1 https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
generic_textual MODERATE https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
cvssv3 6.1 https://nvd.nist.gov/vuln/detail/CVE-2020-23064
cvssv3.1 6.1 https://security.netapp.com/advisory/ntap-20230725-0003
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20230725-0003
cvssv3.1 6.1 https://snyk.io/vuln/SNYK-JS-JQUERY-565129
generic_textual MODERATE https://snyk.io/vuln/SNYK-JS-JQUERY-565129
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-23064.json
https://api.first.org/data/v1/epss?cve=CVE-2020-23064
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23064
https://github.com/jquery/jquery
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
https://security.netapp.com/advisory/ntap-20230725-0003
https://security.netapp.com/advisory/ntap-20230725-0003/
https://snyk.io/vuln/SNYK-JS-JQUERY-565129
2217733 https://bugzilla.redhat.com/show_bug.cgi?id=2217733
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:brocade_san_navigator:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:brocade_san_navigator:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:virtual_desktop_service:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:virtual_desktop_service:-:*:*:*:*:*:*:*
CVE-2020-23064 https://nvd.nist.gov/vuln/detail/CVE-2020-23064
CVE-2020-23064.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml
GHSA-257q-pv89-v3xv https://github.com/advisories/GHSA-257q-pv89-v3xv
GHSA-jpcq-cgw6-v4j6 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
RHSA-2025:7625 https://access.redhat.com/errata/RHSA-2025:7625
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-23064.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/jquery/jquery
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-23064
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20230725-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://snyk.io/vuln/SNYK-JS-JQUERY-565129
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.16818
EPSS Score 0.00045
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2025-04-19T13:22:45.417911+00:00 NVD CVE Status Improver Improve https://cveawg.mitre.org/api/cve/CVE-2020-23064 36.0.0