cbcvebase.
CVE-2012-6708
published 2018-01-18

CVE-2012-6708: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable…

PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.63%
94.4th percentile
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Affected

23 ranges
VendorProductVersion rangeFixed in
jqueryjquery< 1.9.01.9.0
jqueryjquery>= 0 < 1.9.01.9.0
jqueryjquery>= 0 < 1.7.2+dfsg-2ubuntu1+esm11.7.2+dfsg-2ubuntu1+esm1
jqueryjquery>= 0 < 1.11.3+dfsg-4ubuntu0.1~esm11.11.3+dfsg-4ubuntu0.1~esm1
jqueryjquery>= 0 < 3.2.1-1ubuntu0.1~esm13.2.1-1ubuntu0.1~esm1
jqueryjquery>= 0 < 1.9.01.9.0
msrcazl3_boost_1.83.0-2_on_azure_linux_3.0
msrcazl3_cal10n_0.8.1.10-1_on_azure_linux_3.0
msrcazl3_ceph_18.2.2-1_on_azure_linux_3.0
msrcazl3_ceph_18.2.2-8_on_azure_linux_3.0
msrcazl3_fontawesome4-fonts_4.7.0-12_on_azure_linux_3.0
msrcazl3_javapackages-bootstrap_1.14.0-2_on_azure_linux_3.0
msrcazl3_mozjs_102.15.1-1_on_azure_linux_3.0
msrcazl3_python-blinker_1.7.0-4_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_rust_1.75.0-14_on_azure_linux_3.0
msrcazl3_rust_1.86.0-1_on_azure_linux_3.0
msrcazl3_scons_4.6.0-1_on_azure_linux_3.0
msrcazl3_slf4j_1.7.30-6_on_azure_linux_3.0
msrcazl3_slf4j_2.0.7-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
ruby-langruby>= 0 < 2.5.6-r02.5.6-r0

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.