XSS Vulnerability in jQuery Affects Multiple Applications
CVE-2012-6708

6.1MEDIUM

Key Information:

Vendor
Jquery
Status
Jquery
Vendor
CVE Published:
18 January 2018

Summary

Earlier versions of jQuery (prior to 1.9.0) are susceptible to Cross-site Scripting (XSS) attacks. The vulnerability arises from the improper differentiation between HTML and selectors in the jQuery(strInput) function. By only checking for the '<' character anywhere in the input string, attackers could craft harmful payloads with greater ease. In the updated version, jQuery mitigates this risk by requiring that the input explicitly starts with the '<' character to be recognized as HTML, significantly reducing the likelihood of exploitation.

References

https://snyk.io/vuln/npm:jquery:20120206
x_refsource_MISC
https://bugs.jquery.com/ticket/11290
x_refsource_MISC
https://github.com/jquery/jquery/commit/05531fc4080ae2407...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.