Cross-Site Scripting (XSS)

Module: jquery

Published: March 21st, 2017

Reported by: Egor Homakov

CVE-NONE

Vulnerable: >=1.4.0 <=1.11.3 || >=1.12.4 <=2.2.4
Patched: >=3.0.0

Overview

Jquery is a javascript library for DOM traversal and manipulation, event handling, animation, and Ajax.

When text/javascript responses are received from cross-origin ajax requests not containing the option dataType, the result is executed in jQuery.globalEval potentially allowing an attacker to execute arbitrary code on the origin.

Remediation

Upgrade to v3.0.0 or greater.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo