CVE-2011-4969 — jQuery vulnerable to Cross-Site Scripting (XSS)

Description

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

How to fix CVE-2011-4969

To remediate CVE-2011-4969, upgrade the affected package to a fixed version below.

Debian/jquery—upgrade to 1.6.4-1 or later
Maven/org.webjars.npm:jquery—upgrade to 1.6.3 or later
npm/jquery—upgrade to 1.6.3 or later
—upgrade to 1.6.3 or later
—upgrade to 1.0.16 or later

Is CVE-2011-4969 being exploited?

Moderate — EPSS is 6.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

from 0, < 1.6.4-1
from 0, < 1.6.3
from 0, < 1.6.3
from 0, < 1.6.3
from 0, < 1.0.16

References (21)

ADVISORYblog.jquery.com/2011/09/01/jquery-1-6-3-released/
ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4969
ADVISORYsecurity.netapp.com/advisory/ntap-20190416-0007/
PATCHgithub.com/jquery/jquery
WEB