Juho Forsén jupenur

## jqm-xss.md

      
              1 file
            
          
              2 forks
            
          
              5 comments
            
          
              17 stars
            
          
                jupenur
                / jqm-xss.md
            
            
              Created
              May 4, 2019 13:44
            
          
    Multiple vulnerabilities in jQuery Mobile

Summary

All current versions of jQuery Mobile (JQM) as of 2019-05-04 are vulnerable to DOM-based Cross-Site Scripting (XSS) via crafted URLs. In JQM versions up to and including 1.2.1, the only requirement is that the library is included in a web application. In versions > 1.2.1, the web application must also contain a server-side API that reflects back user input as part of an HTTP response of any type. Practically all non-trivial web applications contain at least one such API.
Additionally, all current versions of JQM contain a broken implementation of a URL parser, which can lead to security issues in affected applications.

  
## node-dev-exec.js
#!/usr/bin/env node

/**
 * Execute shell commands remotely in Node.js apps via the DevTools protocol
 *
 * Setup:
 *   npm install chrome-remote-interface
 *   chmod +x node-dev-exec.js
 *
 * Usage:

## gist:9a83183a7951d7ceceb950bd672dcbdc
### Keybase proof

I hereby claim:

  * I am jupenur on github.
  * I am jupenur (https://keybase.io/jupenur) on keybase.
  * I have a public key whose fingerprint is 6F27 B9E0 77C8 90B9 3BE4  FCDB FDC4 4178 1A3F 30EA

To claim this, I am signing this object:
	#!/usr/bin/env node

	/**
	* Execute shell commands remotely in Node.js apps via the DevTools protocol
	*
	* Setup:
	* npm install chrome-remote-interface
	* chmod +x node-dev-exec.js
	*
	* Usage:
	### Keybase proof

	I hereby claim:

	* I am jupenur on github.
	* I am jupenur (https://keybase.io/jupenur) on keybase.
	* I have a public key whose fingerprint is 6F27 B9E0 77C8 90B9 3BE4 FCDB FDC4 4178 1A3F 30EA

	To claim this, I am signing this object: