CVE-2011-4969 — Cross-site Scripting in Jquery

CWE-79 — Cross-site Scripting15 documents10 sources

Severity

4.3MEDIUMNVD

NVD2.6

EPSS

5.6%

top 9.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jquery Drupal Jenkins ANT Plugin +2 more

Timeline

PublishedMar 8

Latest updateMay 14

Description

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages8 packages

▶NuGetjquery/jquery< 1.6.3

▶npmjquery/jquery< 1.6.3

▶Debianjquery/jquery< 1.6.4-1

▶NVDjquery/jquery1.6.2+2

▶NVDdrupal/drupal48 versions+47

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

jQuery vulnerable to Cross-Site Scripting (XSS)↗2022-05-14

▶

GHSA

jQuery vulnerable to Cross-Site Scripting (XSS)↗2022-05-14

▶

GHSA

GHSA-8335-5x6w-v3pw: Cross-site scripting (XSS) vulnerability in Drupal 6↗2022-05-05

▶

OSV

CVE-2011-4969: Cross-site scripting (XSS) vulnerability in jQuery before 1↗2013-03-08

▶

📋Vendor Advisories

CISA ICS

Pepperl+Fuchs WirelessHART-Gateway↗2022-04-07

▶

Jenkins

Jenkins Security Advisory 2017-02-01↗2017-02-01

▶

Ubuntu

jQuery vulnerability↗2013-02-13

▶

Red Hat

jquery: Cross-site scripting (XSS) via $(location.hash) and $(#<tag>)↗2011-06-06

▶

📄Research Papers

CTF

hashes / README↗2014

▶

💬Community

Bugzilla

CVE-2011-4969 jquery: Cross-site scripting (XSS) via $(location.hash) and $(#<tag>)↗2013-02-01

▶

Bugzilla

CVE-2011-4969 drupal7-jquery_update: JQuery < 1.6.3 XSS flaw [epel-all]↗2013-01-17

▶

Bugzilla

drupal6, drupal7: Multiple security flaws fixed in upstream 6.28 and 7.19 versions (SA-CORE-2013-001)↗2013-01-17

▶

Bugzilla

CVE-2011-4969 drupal7-jquery_update: JQuery < 1.6.3 XSS flaw [fedora-all]↗2013-01-17

▶