Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#8854 closed bug (notabug)

Reflective XSS - http://jqueryui.com/themeroller/

Reported by: omerta Owned by:
Priority: minor Milestone: 1.10.0
Component: ui.core Version: 1.9.1
Keywords: Cc:
Blocked by: Blocking:

Description

jqueryui.com/themeroller is vulnerable to reflected XSS attacks:

http://jqueryui.com/themeroller/#"><script>alert(document.domain);</script>

Verified on: Google Chrome - Version 23.0.1271.64 Firefox 17.0

http://pwnetrationguru.com/blog http://pwnetrationguru.com/blog/images/jqueryui.png

Change History (3)

comment:1 Changed 7 years ago by Scott González

Resolution: notabug
Status: newclosed

https://github.com/jquery/download.jqueryui.com/issues/61

comment:2 in reply to:  1 Changed 7 years ago by omerta

Replying to scott.gonzalez:

https://github.com/jquery/download.jqueryui.com/issues/61

I do not understand why this was resolved to "notabug". It appears a GitHub issue was created for it, indicating that there is a vulnerability. Maybe it has to do with this being a vulnerability in the web application and not the jQuery API in general...

comment:3 Changed 7 years ago by Scott González

notabug means that the issue reported is not a bug in the code tracked by this bug tracker. This bug tracker is solely for the jQuery UI library, not for any associated sites, which is why I opened the issue on GitHub.

Thanks for reporting it.

Note: See TracTickets for help on using tickets.