Description
This is low impact and limited XSS, because code for XSS payload is always visible, but attacker can use other techniques to hide the code the victim sees.
Also if the application use execHash option and execute code from URL the attacker can use this URL to execute his code.
Recommendation
Update the jquery.terminal package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.31.1
- Patched version(s): 2.31.1
References
Related Issues
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- XSS in the `altField` option of the Datepicker widget in jquery-ui - CVE-2021-41182
- XSS in `*Text` options of the Datepicker widget in jquery-ui - CVE-2021-41183
- XSS in the `of` option of the `.position()` util in jquery-ui - CVE-2021-41184
- Tags:
- npm
- jquery.terminal
Anything's wrong? Let us know Last updated on January 30, 2023