A team of specialists from a malware analysis course has revealed the finding of a critical vulnerability in jQuery, the cross-platform JavaScript library that simplifies the way to interact with HTML documents, manipulate the DOM tree, handle events, develop animations, and add interaction with the AJAX technique to any website.
According to the report, exploiting this vulnerability would allow threat actors to deploy cross-site scripting (XSS) attacks. Below is a brief overview of the reported vulnerability, in addition to its respective score and identification key according to the Common Vulnerability Scoring System (CVSS).
The vulnerability, tracked as CVE-2020-7656 exists due to insufficient debugging of user-provided data within the load() function and would allow threat actors to deploy cross-site script attacks.
According to the malware analysis course experts, remote hackers could pass specially crafted HTML code to the target application and run it in the victim’s browser in the context of the affected website. If the vulnerability is exploited remotely, threat actors could extract potentially sensitive information, modify the appearance of the vulnerable website, deploy phishing campaigns, perform arbitrary downloads, among other attacks.
While this vulnerability can be exploited by unauthenticated malicious hackers, experts have not detected the existence of an exploit to trigger the attack, although there is a proof-of-concept (available below).
index.html:
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js"></script>
</head>
<body>
<div id="mydiv"></div>
<script>
$("#mydiv").load('inject.html #himom');
</script>
</body>
</html>
inject.html:
<div id="himom"><script>alert('Arbitrary Code Execution');</script ></div>
The vulnerability is present in the following versions of jQuery: 1.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.3.1, 1.1.4, 1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3, 1.3.0, 1.3.1, 1.3.2, 1.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4 1.5, 1.5.0, 1.5.1, 1.5.2, 1.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6. 4, 1.7, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2 and 1.8.3, mention the experts of the malware analysis course.
Developers of jQuery have already released a patch that fixes this flaw, available on their official platforms. There are no known workarounds for this flaw, so vulnerable deployment administrators are encouraged to upgrade as soon as possible. Further details about the vulnerability could be revealed when the risk of exploitation is considered to have been mitigated.
This flaw received a score of 5.5/10 on the CVSS scale, making it a medium severity vulnerability, not to mention its exploitation is a complex process. For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.