Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwcWotaDN2ai1wcWd3

Cross-Site Scripting in jquery

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

Proof of Concept

$("#log").html(
    $("element[attribute='<img src=\"x\" onerror=\"alert(1)\" />']").html()
);

Recommendation

Update to version 1.9.0 or later.

Permalink: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwcWotaDN2ai1wcWd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 9 months ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-2pqj-h3vj-pqgw, CVE-2012-6708
References: Repository: https://github.com/jquery/jquery

Affected Packages

rubygems:jquery-rails
Dependent packages: 1,565
Dependent repositories: 576,659
Downloads: 238,160,239 total
Affected Version Ranges: < 2.2.0
Fixed in: 2.2.0
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4
All unaffected versions: 2.2.0, 2.2.1, 2.2.2, 2.3.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.5.0, 4.5.1, 4.6.0
nuget:jQuery
Dependent packages: 170
Dependent repositories: 1,276
Downloads: 180,684,233 total
Affected Version Ranges: <= 1.8.3
Fixed in: 1.9.0
All affected versions: 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3
All unaffected versions: 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 3.0.0, 3.1.0, 3.1.1, 3.2.1, 3.3.1, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.3, 3.6.4, 3.7.0, 3.7.1
maven:org.webjars.npm:jquery
Dependent packages: 459
Dependent repositories: 216
Downloads:
Affected Version Ranges: <= 1.8.3
Fixed in: 1.9.0
All affected versions: 1.7.2, 1.7.3, 1.8.2, 1.8.3
All unaffected versions: 1.9.1, 1.11.0, 1.11.1, 1.11.3, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 2.1.0, 2.1.1, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1
npm:jquery
Dependent packages: 28,173
Dependent repositories: 998,742
Downloads: 43,758,028 last month
Affected Version Ranges: <= 1.8.3
Fixed in: 1.9.0
All affected versions: 1.5.1, 1.6.2, 1.6.3, 1.7.2, 1.7.3, 1.8.2, 1.8.3
All unaffected versions: 1.9.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1