CVE-2020-11022¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 4.5.0
WSO2 JUSTIFICATION¶
jQuery is included only in Swagger UI–related static frontend assets bundled with OpenAPI Generator. These assets are not used, served, or executed by WSO2 API Manager at runtime. API-M uses OpenAPI Generator only for Java-based backend processing (e.g., client SDK generation) and does not execute any JavaScript code. Therefore, the reported jQuery vulnerabilities are not reachable or exploitable in the API-M runtime and do not pose a security risk.