CVE-2020-11022: 
JavaScript vulnerability analysis and mitigation

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This vulnerability was discovered in April 2020 and is tracked as CVE-2020-11022. The issue affects jQuery's htmlPrefilter method and related DOM manipulation functions (jQuery Blog, GitHub Advisory).

The vulnerability exists in jQuery's htmlPrefilter method which was used to ensure all closing tags were XHTML-compliant when passed to DOM manipulation methods. The HTML parser in jQuery <= 3.5.0 had edge cases where parsing could have unintended consequences, potentially leading to cross-site scripting (XSS). The vulnerability has a CVSS v3.1 Base Score of 6.1 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

Successful exploitation of this vulnerability could allow an attacker to execute untrusted code through jQuery's DOM manipulation methods, even after sanitizing the HTML input. This could lead to cross-site scripting attacks that bypass normal sanitization procedures (GitHub Advisory).

The vulnerability was patched in jQuery 3.5.0. Users should upgrade to this version or later to address the issue. For those unable to upgrade immediately, a workaround is available by redefining jQuery.htmlPrefilter as an identity function. However, this workaround removes the security fix and requires extra caution when handling HTML input. When sanitizing HTML for use with jQuery, it is recommended to use DOMPurify with appropriate options (jQuery Upgrade Guide).

The vulnerability received significant attention from the security community due to jQuery's widespread use. Multiple organizations including Oracle, Debian, and others issued security advisories and patches for their products that included the vulnerable jQuery versions. The issue was rated as 'Moderate' severity by most vendors (Drupal SA, Oracle Advisory).