CVE-2011-4969

Published: 30 January 2013

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Priority

Status

Package	Release	Status
jquery Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Released (1.3.3-2ubuntu1.2)
	oneiric	Released (1.6.2-1ubuntu2.2)
	precise	Not vulnerable (1.7.1-1ubuntu1)
	quantal	Not vulnerable (1.7.2+debian-1ubuntu1)
	upstream	Released (1.6.3)
	Patches: upstream: https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9

References

http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/
http://www.openwall.com/lists/oss-security/2013/01/30
https://ubuntu.com/security/notices/USN-1722-1
https://www.cve.org/CVERecord?id=CVE-2011-4969
NVD
Launchpad
Debian

Bugs

http://bugs.jquery.com/ticket/9521

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›