Fluid Attacks Database

Description

Cross-Site Scripting in jquery-mobile All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be parsed as HTML and the JavaScript payload executed.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
npm	jquery-mobile	>=0 <=1.5.0

Aliases

1. GCVE-GHSA-fj93-7wm4-8x2g

References

1. https://github.com/jquery/jquery-mobile/issues/86402. https://github.com/jquery/jquery-mobile/pull/86493. https://github.com/jquery/jquery-mobile/pull/86504. https://github.com/jquery/jquery-mobile/commit/b0d9cc758a48f13321750d7409fb7655dcdf2b505. https://gist.github.com/jupenur/e5d0c6f9b58aa81860bf74e010cf16856. https://github.com/jquery/jquery-mobile7. https://www.npmjs.com/advisories/883

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.