Cross-Site Scripting in jingo

Description

Versions of jingo prior to 1.9.2 are vulnerable to Cross-Site Scripting (XSS). If malicious input such as <script>alert(1)</script> is placed in the content of a wiki page, Jingo does not properly encode the input and it is executed instead of rendered as text.

Recommendation

Update the jingo package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.9.2
• Patched version(s): 1.9.2

References

• GHSA-mpjf-8cmf-p789
• www.npmjs.com
• CWE-79
• OWASP 2021-A3

Related Issues

• Vditor Cross-site Scripting vulnerability - CVE-2021-32855
• Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
• @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
• CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064

Tags:

npm

jingo