jQuery-Upload-File XSS in fileNameStr

2022-02-2600:00:39

Google

osv.dev

5.7 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.6%

JSON

A cross-site scripting (XSS) vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name.

CPENameOperatorVersion
jquery-file-uploadle4.0.11

CPE	Name	Operator	Version
	jquery-file-upload	le	4.0.11

References

github.com/hayageek/jquery-upload-file

github.com/hayageek/jquery-upload-file/blob/master/js/jquery.uploadfile.js#L469

nvd.nist.gov/vuln/detail/CVE-2021-37504