Skip to main content

TB092 jQuery Version Affected by CVE-2020-11023 (Cross-Site Scripting Vulnerability)




Alert Type



FIPS 199 Severity Level: High

CVSS Score: 7.6 

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): N

Integrity (I): H

Availability (A): L

The Delphix Virtualization Engine includes a version of the jQuery library that is impacted by a cross-site scripting (XSS) vulnerability (CVE-2020-11023): jQuery may execute untrusted code when passing HTML from untrusted sources. From the jQuery blog about the 3.5.0 release:

jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter ensured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.

The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. 

Contributing Factors

This article applies to the following versions of the Delphix engine:

Major Release All Sub Releases



The Delphix Masking Engine is not affected by this vulnerability.


The vulnerable function within the jQuery library is used in the following ways within the Delphix Virtualization product:

  • Throughout the Delphix Self-Service’s functionality

  • On the login page for the Delphix Virtualization Engine

Again, the Delphix Masking Engine is not affected by this vulnerability.




This issue is fully resolved in the Delphix Virtualization Engine release. Delphix strongly recommends upgrading to the release to resolve the issue.

Additional Information


Related Documents