CVE-2025-3573 — Cross-site Scripting in Node-jquery-validation

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 46.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Znuny Debian Civicrm +5 more

Timeline

PublishedApr 15

Latest updateOct 15

Description

Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages8 packages

▶debiandebian/node-jquery-validation< kalkun 0.8.3.2-1 (forky)

▶npmjquery-validation/jquery-validation< 1.20.0

▶debiandebian/znuny< kalkun 0.8.3.2-1 (forky)

▶debiandebian/kalkun< kalkun 0.8.3.2-1 (forky)

▶debiandebian/civicrm< kalkun 0.8.3.2-1 (forky)

🔴Vulnerability Details

OSV

CVE-2025-3573: Versions of the package jquery-validation before 1↗2025-04-15

▶

OSV

jquery-validation vulnerable to Cross-site Scripting↗2025-04-15

▶

GHSA

jquery-validation vulnerable to Cross-site Scripting↗2025-04-15

▶

📋Vendor Advisories

Oracle

Oracle Oracle Hyperion Risk Matrix: Web Client - Unicode (jQuery) — CVE-2025-3573↗2025-10-15

▶

Red Hat

jquery-validation: XSS Vulnerability in jquery-validation↗2025-04-15

▶

Debian

CVE-2025-3573: civicrm - Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-...↗2025

▶