CVE-2021-43862

Name of the Vulnerable Software and Affected Versions: jQuery Terminal Emulator versions prior to 2.31.1

Description: The issue is a low impact and limited cross-site scripting (XSS) vulnerability. The code for XSS payload is always visible, but an attacker can use other techniques to hide the code the victim sees. If the application uses the execHash option and executes code from URL, the attacker can use this URL to execute their code. The scope is limited because the javascript attribute used is added to span tag, so no automatic execution like with onerror on images is possible.

Recommendations: For versions prior to 2.31.1, update to version 2.31.1 to fix the issue. As a temporary workaround, the user can use formatting that wraps whole user input and its no op, for example, by using the following code: $.terminal.new formatter([/([sS]+)/g, '[[;;]$1]']); This fix will only work when the user of the library is not using different formatters.