jQuery – CVE-2012-6708

Description

Kayran has detected that the version of the jQuery you use is vulnerable to Cross-site Scripting attacks (XSS).
The “jQuery(strInput)” function does not set selectors apart from HTML in a reliable fashion.

The attacker abuses the fact that jQuery has determined whether the input was HTML or not by looking for the ‘<‘ character anywhere in the string. Also known as CVE-2012-6708.
This may assist attackers by giving them more flexibility when attempting to construct malicious payloads.

Severity/Score

CVSS Version 3.x – 6.1 Medium

Recommendation

To deal with CVE-2012-6708, update the jQuery version being used to 1.9.0 or higher.
In newer versions, jQuery only determines that the input is an HTML only after it explicitly starts with the ‘<‘ character.

That will limit the potential to attackers who can control the beginning of a string, which is far less common.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6708

https://cwe.mitre.org/data/definitions/79.html

< Return to all Vulnerabilities

Explaining API

We’ve talked about API’s Vulnerability in here, but i feel like there’s much more to talk about and explain since this is a big and

Read More »

Crossing Scripts – XSS

Injections. SQL Injections. Cross-site Scripting (hence the amazing title “Crossing Scripts – XSS”). There all sorts of Injection-Based attacks, if you want to read about

Read More »

Exposing the GIT

Let’s start with defining the meaning of GIT. GIT – is an open-source system which we use as a tool to store data and information

Read More »

Servers 101

Let’s have a “quick” Servers 101 Course. Courtesy of Kayran! If you’ve been on the internet for over an hour, you probably already heard of

Read More »

Bug Bounties

As pirates, we all love plundering, we all love raiding, but mostly, we all love bounties, especially Bug Bounties. Let’s talk about it. Bug Bounties

Read More »