jQuery – CVE-2012-6708


Kayran has detected that the version of the jQuery you use is vulnerable to Cross-site Scripting attacks (XSS).
The “jQuery(strInput)” function does not set selectors apart from HTML in a reliable fashion.

The attacker abuses the fact that jQuery has determined whether the input was HTML or not by looking for the ‘<‘ character anywhere in the string. Also known as CVE-2012-6708.
This may assist attackers by giving them more flexibility when attempting to construct malicious payloads.


To deal with CVE-2012-6708, update the jQuery version being used to 1.9.0 or higher.
In newer versions, jQuery only determines that the input is an HTML only after it explicitly starts with the ‘<‘ character.

That will limit the potential to attackers who can control the beginning of a string, which is far less common.




< Return to all Vulnerabilities