Full Disclosure mailing list archives
jQuery < 3.5 Cross-Site Scripting (XSS)
From: Marcin Kozlowski <marcinguy () gmail com>
Date: Thu, 23 Apr 2020 09:32:06 +0200
Hi list, Timmy Willison recently released a new version of jQuery. jQuery 3.5 fixes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities. Masato Kinugawa found a cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery, and published an example showing a popup alert window in the form of a challenge. ( https://xss.pwnfunction.com/challenges/ww3/) I think this bug got too little attention in light of its possible impact. Below is a CodeQL query that can find user controlled values passed to html() which can be abused to perform Cross-Site Scripting. Please check your projects, submit responsible disclosure to projects that might be affected. More in the repo: https://github.com/marcinguy/jquery-xss-in-html/blob/master/README.md Thanks, Marcin _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- jQuery < 3.5 Cross-Site Scripting (XSS) Marcin Kozlowski (Apr 24)