A cross-site scripting flaw was reported against jQuery 1.4.2: http://seclists.org/fulldisclosure/2014/Sep/10 The original report notes to upgrade to version 1.11.1, which may include the fix.
It looks likely that this issue is not an issue at all, but investigations are still ongoing.
The proof of concept in the full disclosure post is not an exploit that can be run against a target as it suggests. What it is in fact is a known bad-pattern with jquery where using text() inside after() can lead to DOM based XSS. For something to be vulnerable, they would have to follow this anti-pattern in a website that used jquery. While this is still possible to get arbitary html into a page following this pattern with the current version of jquery, and the jquery documentation specifically states: [from http://api.jquery.com/after/] " By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example, <img onload="">). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. " Jquery 1.6 and up (several years old now) actually added specific hardening that looks to block <script> tags.
CVE-2014-6071 was assigned for this report.
Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.