jQuery – CVE-2012-6708

Description

Kayran has detected that the version of the jQuery you use is vulnerable to Cross-site Scripting attacks (XSS).
The “jQuery(strInput)” function does not set selectors apart from HTML in a reliable fashion.

The attacker abuses the fact that jQuery has determined whether the input was HTML or not by looking for the ‘<‘ character anywhere in the string. Also known as CVE-2012-6708.
This may assist attackers by giving them more flexibility when attempting to construct malicious payloads.

Recommendation

To deal with CVE-2012-6708, update the jQuery version being used to 1.9.0 or higher.
In newer versions, jQuery only determines that the input is an HTML only after it explicitly starts with the ‘<‘ character.

That will limit the potential to attackers who can control the beginning of a string, which is far less common.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6708

https://cwe.mitre.org/data/definitions/79.html

< Return to all Vulnerabilities

Exposing the GIT

Let’s start with defining the meaning of GIT. GIT – is an open-source system which we use as a tool to store data and information

Read More »