Description
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.8.3
- Patched version(s): 1.9.0
References
- GHSA-2pqj-h3vj-pqgw
- bugs.jquery.com
- help.ecostruxureit.com
- lists.apache.org
- snyk.io
- lists.opensuse.org
- packetstormsecurity.com
- security.snyk.io
- research.insecurelabs.org
- web.archive.org
- CVE-2012-6708
- CWE-64
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-4xc9-xhrj-v574) - CVE-2018-16487
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on July 10, 2023