jquery.terminal@0.10.9 vulnerabilities

jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications.

Direct Vulnerabilities

Known vulnerabilities in the jquery.terminal package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Cross-site Scripting (XSS)

jquery.terminal is a plugin for creating command line interpreters in your applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The code for XSS payload is always visible, but an attacker can use other techniques to hide the code the victim sees. If the application uses the execHash option and executes code from URL, the attacker can use this URL to execute their code. The scope is limited because the javascript attribute used is added to span tag, so no automatic execution like with onerror on images is possible.

Workaround

The user can use formatting that wrap whole user input and it's no op. This workaround will only work when user of the library is not using different formatters (e.g. to highlight code in different way).

$.terminal.new_formatter([/([\s\S]+)/g, '[[;;]$1]']);

How to fix Cross-site Scripting (XSS)?

Upgrade jquery.terminal to version 2.31.1 or higher.

<2.31.1
  • M
Cross-site Scripting (XSS)

jquery.terminal is a plugin for creating command line interpreters in your applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The application may execute arbitrary JavaScript through crafted malicious payloads due to insufficient sanitization. This may be caused if the options anyLinks or invokeMethods are set to true.

How to fix Cross-site Scripting (XSS)?

Upgrade jquery.terminal to version 1.21.0 or higher.

<1.21.0