Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZqOTMtN3dtNC04eDJn
Cross-Site Scripting in jquery-mobile
All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be parsed as HTML and the JavaScript payload executed.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-fj93-7wm4-8x2gJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZqOTMtN3dtNC04eDJn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-fj93-7wm4-8x2g
References:
- https://gist.github.com/jupenur/e5d0c6f9b58aa81860bf74e010cf1685
- https://snyk.io/vuln/SNYK-JS-JQUERYMOBILE-174599
- https://www.npmjs.com/advisories/883
- https://github.com/jquery/jquery-mobile/issues/8640
- https://github.com/jquery/jquery-mobile/pull/8649
- https://github.com/jquery/jquery-mobile/pull/8650
- https://github.com/jquery/jquery-mobile/commit/b0d9cc758a48f13321750d7409fb7655dcdf2b50
- https://github.com/advisories/GHSA-fj93-7wm4-8x2g
Blast Radius: 0.0
Affected Packages
npm:jquery-mobile
Dependent packages: 9Dependent repositories: 132
Downloads: 6,847 last month
Affected Version Ranges: >= 0
No known fixed version
All affected versions: 1.4.1