pekeupload@2.1.1 vulnerabilities

jQuery html5 file uploader plugin

latest version

2.1.1

first published

9 years ago

latest version published

8 years ago

licenses detected

MIT
>=0

View pekeupload package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pekeupload package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) pekeupload is a jQuery plugin that allows you to easily add multiple or single file upload functionality to your website. This plugin uses html5 only. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed. PoC 1.Download pekeUpload last release https://github.com/pekebyte/pekeUpload/archive/refs/tags/2.1.1.zip and unzip it 2.Create a test.html page like this one inside pekeUpload-2.1.1 directory. The contents should be as follows: <html> <script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script> <script type="text/javascript" src="js/pekeUpload.js"></script> <input id="file" type="file" name="file" /> <script> $("#file").pekeUpload();</script> </html> 3.Create a file named <img src=x onerror=alert("HACKED!")>.png 4.Visit the test.html page in the browser and try to upload the created file. The javascript code will be executed and an alert should appear with the words "HACKED!" How to fix Cross-site Scripting (XSS)? There is no fixed version for `pekeupload`.	*

Cross-site Scripting (XSS)

pekeupload is a jQuery plugin that allows you to easily add multiple or single file upload functionality to your website. This plugin uses html5 only.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed.

PoC

1.Download pekeUpload last release https://github.com/pekebyte/pekeUpload/archive/refs/tags/2.1.1.zip and unzip it
2.Create a test.html page like this one inside pekeUpload-2.1.1 directory. The contents should be as follows:

<html>
        <script src="https://code.jquery.com/jquery-3.6.0.min.js"
                integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4="
                crossorigin="anonymous"></script>
        <script type="text/javascript" src="js/pekeUpload.js"></script>
        <input id="file" type="file" name="file" />
                        <script>
                                $("#file").pekeUpload();</script>
</html>

3.Create a file named <img src=x onerror=alert("HACKED!")>.png
4.Visit the test.html page in the browser and try to upload the created file. The javascript code will be executed and an alert should appear with the words "HACKED!"

How to fix Cross-site Scripting (XSS)?

There is no fixed version for pekeupload.

Go back to all versions of this package