jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| jquery(npm) | 1.2.1 | 1.9.0 | N/A |
| jQuery(NuGet) | 1.2.1 | 1.9.0 | N/A |
| jquery-rails(RubyGems) | 0 | 2.2.0 | N/A |
| org.webjars.npm:jquery(Maven) | 1.2.1 | 1.9.0 | N/A |
CVSS Metrics
