CVE-2021-37504
Description
A cross-site scripting (XSS) vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jquery-file-uploadnpm | <= 4.0.11 | — |
Affected products
2- jQuery-Upload-File/jQuery-Upload-Filedescription
Patches
Vulnerability mechanics
Root cause
"The plugin does not sanitize the `fileNameStr` parameter before inserting it into the DOM, allowing HTML/JavaScript injection via a crafted filename."
Attack vector
An attacker can upload a file whose filename contains a JavaScript payload (e.g., `<img src=x onerror=alert(1)>`). The jQuery-Upload-File plugin inserts the unsanitized `fileNameStr` into the page's HTML, causing the browser to execute the injected script. This is a classic stored/reflected cross-site scripting attack [CWE-79] that requires no special network position beyond the ability to upload a file.
Affected code
The vulnerability resides in the `jquery.uploadfile.js` file, specifically around line 469, where the `fileNameStr` parameter is rendered into the DOM without sanitization. The advisory references the GitHub source at `https://github.com/hayageek/jquery-upload-file/blob/master/js/jquery.uploadfile.js#L469` as the affected code location.
What the fix does
The advisory does not include a published patch diff. To remediate, the plugin must properly encode or escape the `fileNameStr` value before inserting it into the DOM, for example by using `textContent` instead of `innerHTML` or by applying HTML entity encoding. Without a fix, any user-controllable filename can inject arbitrary HTML or JavaScript.
Preconditions
- configThe application must use jQuery-Upload-File v4.0.11 and render uploaded file names into the page without sanitization.
- inputThe attacker must be able to upload a file with a crafted filename containing a JavaScript payload.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-43x9-7hfv-mxrfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-37504ghsaADVISORY
- ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.jsmitrex_refsource_MISC
- hayageek.github.io/jQuery-Upload-File/4.0.11/jquery.uploadfile.min.jsmitrex_refsource_MISC
- hayageek.github.io/jQuery-Upload-File/4.0.11/uploadfile.cssmitrex_refsource_MISC
- haygeek.commitrex_refsource_MISC
- jquery-upload-file.commitrex_refsource_MISC
- github.com/hayageek/jquery-upload-file/blob/master/js/jquery.uploadfile.jsghsax_refsource_MISCWEB
- raw.githubusercontent.com/hayageek/jquery-upload-file/master/js/jquery.uploadfile.jsmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.