jQuery vulnerable to Cross-Site Scripting (XSS)

Description

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-14 01:09:51 UTC
Updated
2026-01-14 21:43:53 UTC
GitHub reviewed
2022-09-12 14:46:34 UTC
NVD published
2013-03-08

EPSS Score

Score Percentile
5.57% 90.11%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • jhutchings1 (analyst)
  • klaudialax (analyst)

Affected packages (4)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm jquery < 1.6.3 1.6.3
nuget jQuery < 1.6.3 1.6.3
rubygems jquery-rails < 1.0.16 1.0.16
maven org.webjars.npm:jquery < 1.6.3 1.6.3

References

cvelogic Threat Intelligence