Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2012-6708 — Cross-site Scripting in Jquery
Severity
6.1MEDIUMNVD
EPSS
0.9%
top 24.28%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedJan 18
Latest updateJul 8
Description
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploi…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages5 packages
Patches
🔴Vulnerability Details
5💥Exploits & PoCs
1📋Vendor Advisories
3Microsoft▶
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions jQuery d↗2018-01-09
💬Community
10Bugzilla▶
CVE-2012-6708 python-XStatic-jQuery: js-jquery: XSS via improper selector detection [fedora-all]↗2018-06-15
Bugzilla▶
CVE-2012-6708 python-XStatic-jQuery: js-jquery: XSS via improper selector detection [epel-7]↗2018-06-15
Bugzilla▶
CVE-2012-6708 rubygem-jquery-rails: js-jquery: XSS via improper selector detection [fedora-all]↗2018-06-15