jQuery – CVE-2012-6708

Description

Kayran has detected that the version of the jQuery you use is vulnerable to Cross-site Scripting attacks (XSS).
The “jQuery(strInput)” function does not set selectors apart from HTML in a reliable fashion.

The attacker abuses the fact that jQuery has determined whether the input was HTML or not by looking for the ‘<‘ character anywhere in the string. Also known as CVE-2012-6708.
This may assist attackers by giving them more flexibility when attempting to construct malicious payloads.

Severity/Score

CVSS Version 3.x – 6.1 Medium

Recommendation

To deal with CVE-2012-6708, update the jQuery version being used to 1.9.0 or higher.
In newer versions, jQuery only determines that the input is an HTML only after it explicitly starts with the ‘<‘ character.

That will limit the potential to attackers who can control the beginning of a string, which is far less common.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6708

https://cwe.mitre.org/data/definitions/79.html

< Return to all Vulnerabilities

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »