• Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-April-10
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-11022 and CVE-2020-11023


The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others."

The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18


Upgrade to version 3.9.19


The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST