Moderate severityNVD Advisory· Published Mar 8, 2013· Updated Apr 29, 2026
CVE-2011-4969
CVE-2011-4969
Description
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jquerynpm | < 1.6.3 | 1.6.3 |
jQueryNuGet | < 1.6.3 | 1.6.3 |
jquery-railsRubyGems | < 1.0.16 | 1.0.16 |
org.webjars.npm:jqueryMaven | < 1.6.3 | 1.6.3 |
Affected products
3Patches
1db9e023e62c1Merge pull request #474 from dmethvin/fix-9521-xss-hash
2 files changed · +20 −2
src/core.js+2 −2 modified@@ -16,8 +16,8 @@ var jQuery = function( selector, context ) { rootjQuery, // A simple way to check for HTML strings or ID strings - // (both of which we optimize for) - quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, + // Prioritize #id over <tag> to avoid XSS via location.hash (#9521) + quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, // Check if a string has a non-whitespace character in it rnotwhite = /\S/,
test/unit/core.js+18 −0 modified@@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() { document.body.removeChild( iframe ); }); +test("XSS via location.hash", function() { + expect(1); + + stop(); + jQuery._check9521 = function(x){ + ok( x, "script called from #id-like selector with inline handler" ); + jQuery("#check9521").remove(); + delete jQuery._check9521; + start(); + }; + try { + // This throws an error because it's processed like an id + jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture"); + } catch (err) { + jQuery._check9521(true); + }; +}); + if ( !isLocal ) { test("isXMLDoc - XML", function() { expect(3);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
21- github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9nvdExploitPatchWEB
- github.com/advisories/GHSA-579v-mp3v-rrw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-4969ghsaADVISORY
- blog.jquery.com/2011/09/01/jquery-1-6-3-releasedghsaWEB
- blog.mindedsecurity.com/2011/07/jquery-is-sink.htmlnvdWEB
- bugs.jquery.com/ticket/9521nvdWEB
- www.openwall.com/lists/oss-security/2013/01/31/3nvdWEB
- www.ubuntu.com/usn/USN-1722-1nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2011-4969.ymlghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190416-0007ghsaWEB
- security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450224ghsaWEB
- blog.jquery.com/2011/09/01/jquery-1-6-3-released/nvd
- www.osvdb.org/80056nvd
- www.securityfocus.com/bid/58458nvd
- www.securitytracker.com/id/1036620nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Envd
- security.netapp.com/advisory/ntap-20190416-0007/nvd
News mentions
0No linked articles in our index yet.