An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZqOTMtN3dtNC04eDJn

Cross-Site Scripting in jquery-mobile

All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be parsed as HTML and the JavaScript payload executed.


No fix is currently available. Consider using an alternative package until a fix is made available.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 9 months ago

Identifiers: GHSA-fj93-7wm4-8x2g

Affected Packages

Versions: >= 0
No known fixed version