CVE-2012-6708

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2012-6708
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2018-01-18 23:29:00 UTC
Updated2023-11-07 02:13:00 UTC
DescriptionjQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Jquery Jquery All All All All
Application Jquery Jquery All All All All

References

ReferenceSourceLinkTags
Cross-site Scripting (XSS) in jquery | Snyk MISC snyk.io Patch, Third Party Advisory
Pony Mail! lists.apache.org
#11290 (selector interpreted as HTML) – jQuery Core - Bug Tracker MISC bugs.jquery.com Exploit, Issue Tracking, Vendor Advisory
Pony Mail! MLIST lists.apache.org
JQuery CVE-2012-6708 Cross Site Scripting Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
RetireJS CORS Issue / Script Execution ≈ Packet Storm MISC packetstormsecurity.com
DCIM Support CONFIRM help.ecostruxureit.com Third Party Advisory
Pony Mail! lists.apache.org
[security-announce] openSUSE-SU-2020:0395-1: important: Recommended upda SUSE lists.opensuse.org
Linksys EA7500 2.0.8.194281 Cross Site Scripting ≈ Packet Storm MISC packetstormsecurity.com
Adjust jQuery('html') detection to only match when html starts with '… · jquery/jquery@05531fc · GitHub MISC github.com Patch, Third Party Advisory
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! lists.apache.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 356305 Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-007
  • 981001 Java (maven) Security Update for org.webjars.npm:jquery (GHSA-2pqj-h3vj-pqgw)
  • 981002 Nodejs (npm) Security Update for jquery (GHSA-2pqj-h3vj-pqgw)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report