XSS Vulnerability in jQuery Affects Multiple Applications
CVE-2012-6708

6.1MEDIUM

Key Information:

Vendor

Jquery

Status
Jquery
Vendor
CVE Published:
18 January 2018

What is CVE-2012-6708?

Earlier versions of jQuery (prior to 1.9.0) are susceptible to Cross-site Scripting (XSS) attacks. The vulnerability arises from the improper differentiation between HTML and selectors in the jQuery(strInput) function. By only checking for the '<' character anywhere in the input string, attackers could craft harmful payloads with greater ease. In the updated version, jQuery mitigates this risk by requiring that the input explicitly starts with the '<' character to be recognized as HTML, significantly reducing the likelihood of exploitation.

References

https://snyk.io/vuln/npm:jquery:20120206
x_refsource_MISC
https://bugs.jquery.com/ticket/11290
x_refsource_MISC
https://github.com/jquery/jquery/commit/05531fc4080ae2407...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.