CVE-2012-6708
Last modified
CVE-2012-6708 is a vulnerability of currently unknown severity. jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. EPSS estimates a 8.79% chance of exploitation in the next 30 days.
Description
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jquery | Jquery | < 1.9.0 |
References
- http://www.securityfocus.com/bid/102792Third Party Advisory, VDB Entry
- https://bugs.jquery.com/ticket/11290Exploit, Issue Tracking, Vendor Advisory
- https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457dPatch, Third Party Advisory
- https://snyk.io/vuln/npm:jquery:20120206Patch, Third Party Advisory
- http://www.securityfocus.com/bid/102792Third Party Advisory, VDB Entry
- https://bugs.jquery.com/ticket/11290Exploit, Issue Tracking, Vendor Advisory
- https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457dPatch, Third Party Advisory
- https://snyk.io/vuln/npm:jquery:20120206Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2012-6708?
How severe is CVE-2012-6708?
How do I fix CVE-2012-6708?
Are you affected by CVE-2012-6708?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST