Description
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.8.3
- Patched version(s): 1.9.0
References
- GHSA-2pqj-h3vj-pqgw
- bugs.jquery.com
- help.ecostruxureit.com
- lists.apache.org
- snyk.io
- lists.opensuse.org
- packetstormsecurity.com
- security.snyk.io
- research.insecurelabs.org
- web.archive.org
- CVE-2012-6708
- CWE-64
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-site Scripting in tableexport.jquery.plugin - CVE-2022-1291
- Cross-Site Scripting (XSS) in jquery - CVE-2015-9251
- jQuery-UI vulnerable to Cross-site Scripting in dialog closeText - CVE-2016-7103
- Cross-site Scripting in jquery.json-viewer - CVE-2022-30241
You might also like:
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on July 10, 2023