Description
Kayran has detected that the version of the jQuery you use is vulnerable to Cross-site Scripting attacks (XSS).
The “jQuery(strInput)” function does not set selectors apart from HTML in a reliable fashion.
The attacker abuses the fact that jQuery has determined whether the input was HTML or not by looking for the ‘<‘ character anywhere in the string. Also known as CVE-2012-6708.
This may assist attackers by giving them more flexibility when attempting to construct malicious payloads.
Severity/Score
CVSS Version 3.x – 6.1 Medium
Recommendation
To deal with CVE-2012-6708, update the jQuery version being used to 1.9.0 or higher.
In newer versions, jQuery only determines that the input is an HTML only after it explicitly starts with the ‘<‘ character.
That will limit the potential to attackers who can control the beginning of a string, which is far less common.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6708
