CVE-2012-6662
Summary
| CVE | CVE-2012-6662 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-11-24 16:59:01 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:M/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Jqueryui | Jquery Ui | 1.10.0 | rc1 | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Hpc Node | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| JQuery 'combobox.html' Cross Site Scripting Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses · Issue #2432 · jquery/jquery · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | |
| Tooltip: Escape the title attribute so that it's treated as text and … · jquery/jquery-ui@f285440 · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Issue Tracking, Patch, Third Party Advisory |
| Autocomplete demo: Combobox: Encode search term inside tooltips. Fixe… · jquery/jquery-ui@5fee6fd · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Issue Tracking, Patch, Third Party Advisory |
| #8861 (Tooltip: XSS vulnerability in default content) – jQuery UI | af854a3a-2127-422b-91ae-364da2661108 | bugs.jqueryui.com | Issue Tracking, Vendor Advisory |
| oss-sec: old CVE assignments for JQuery 1.10.0 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | Third Party Advisory, VDB Entry |
| #8859 (Autocomplete: XSS in combobox demo) – jQuery UI | af854a3a-2127-422b-91ae-364da2661108 | bugs.jqueryui.com | Issue Tracking, Vendor Advisory |
| oss-sec: Re: old CVE assignments for JQuery 1.10.0 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980932 Nodejs (npm) Security Update for jquery-ui (GHSA-qqxp-xp9v-vvx6)
- 995420 Java (Maven) Security Update for org.webjars.npm:jquery-ui (GHSA-qqxp-xp9v-vvx6)
- 995437 DotNet (Nuget) Security Update for jQuery.UI.Combined (GHSA-qqxp-xp9v-vvx6)
- 995446 Rubygems (Rubygems) Security Update for jquery-ui-rails (GHSA-qqxp-xp9v-vvx6)