Description
This is low impact and limited XSS, because code for XSS payload is always visible, but attacker can use other techniques to hide the code the victim sees.
Also if the application use execHash option and execute code from URL the attacker can use this URL to execute his code.
Recommendation
Update the jquery.terminal package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.31.1
- Patched version(s): 2.31.1
References
Related Issues
- XSS in the `of` option of the `.position()` util in jquery-ui - CVE-2021-41184
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- XSS in `*Text` options of the Datepicker widget in jquery-ui - CVE-2021-41183
- XSS in the `altField` option of the Datepicker widget in jquery-ui - CVE-2021-41182
You might also like:
- Tags:
- npm
- jquery.terminal
Anything's wrong? Let us know Last updated on January 30, 2023