CVE-2011-4969: jQuery vulnerable to Cross-Site Scripting (XSS)
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.88337%
CWE
Published
5/14/2022
Updated
9/26/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
jquery | npm | < 1.6.3 | 1.6.3 |
jQuery | nuget | < 1.6.3 | 1.6.3 |
jquery-rails | rubygems | < 1.0.16 | 1.0.16 |
org.webjars.npm:jquery | maven | < 1.6.3 | 1.6.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from jQuery's selector parsing logic using the quickExpr regex. The original regex (/^(?:[^<](<[\w\W]+>)[^>]$|#([\w-])$)/) allowed HTML injection when a '#' was present in the selector string. Attackers could craft location.hash values like '#<img onerror=alert(1)>' which would be interpreted as HTML creation rather than ID selection. The patched regex (/^(?:[^#<](<[\w\W]+>)[^>]$|#([\w-])$)/) explicitly prioritizes ID selection by excluding '#' characters before checking for HTML tags, as seen in the commit diff and advisory descriptions.