Security scans revealed that a version of jQuery from 2011 (1.6.1) is being used, which are vulnerable to a couple of XSS attacks.
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3,
when using location.hash to select elements, allows remote attackers to inject arbitrary web
script or HTML via a crafted tag.
The jQuery(strInput) function does not differentiate selectors
from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was
HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility
when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input
to be HTML if it explicitly starts with the '<' character, limiting exploitability only to
attackers who can control the beginning of a string, which is far less common.
dstndstn
commented
2 years ago
Hi there
Security scans revealed that a version of jQuery from 2011 (1.6.1) is being used, which are vulnerable to a couple of XSS attacks.
Is it possible for these to be updated?