{"api_version":"1","generated_at":"2026-04-23T00:39:59+00:00","cve":"CVE-2012-6662","urls":{"html":"https://cve.report/CVE-2012-6662","api":"https://cve.report/api/cve/CVE-2012-6662.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2012-6662","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2012-6662"},"summary":{"title":"CVE-2012-6662","description":"Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2014-11-24 16:59:00","updated_at":"2018-07-14 01:29:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde","name":"https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Tooltip: Escape the title attribute so that it's treated as text and … · jquery/jquery-ui@f285440 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/98697","name":"jqueryui-cve20126662-xss(98697)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2015-1462.html","name":"RHSA-2015:1462","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://bugs.jqueryui.com/ticket/8861","name":"http://bugs.jqueryui.com/ticket/8861","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"#8861 (Tooltip: XSS vulnerability in default content)\n     – jQuery UI","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e","name":"https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Autocomplete demo: Combobox: Encode search term inside tooltips. Fixe… · jquery/jquery-ui@5fee6fd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/oss-sec/2014/q4/613","name":"[oss-security] 20141114 old CVE assignments for JQuery 1.10.0","refsource":"MLIST","tags":["Third Party Advisory","VDB Entry"],"title":"oss-sec: old CVE assignments for JQuery 1.10.0","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/jquery/jquery/issues/2432","name":"https://github.com/jquery/jquery/issues/2432","refsource":"MISC","tags":[],"title":"Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses  · Issue #2432 · jquery/jquery · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/71107","name":"71107","refsource":"BID","tags":[],"title":"JQuery 'combobox.html' Cross Site Scripting Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://seclists.org/oss-sec/2014/q4/616","name":"[oss-security] 20141114 Re: old CVE assignments for JQuery 1.10.0","refsource":"MLIST","tags":["Third Party Advisory","VDB Entry"],"title":"oss-sec: Re: old CVE assignments for JQuery 1.10.0","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2015-0442.html","name":"RHSA-2015:0442","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://bugs.jqueryui.com/ticket/8859","name":"http://bugs.jqueryui.com/ticket/8859","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"#8859 (Autocomplete: XSS in combobox demo)\n     – jQuery UI","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2012-6662","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6662","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jqueryui","cpe5":"jquery_ui","cpe6":"1.10.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"jquery","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jqueryui","cpe5":"jquery_ui","cpe6":"1.10.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"jquery","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_desktop","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_desktop","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_hpc_node","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_hpc_node","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_workstation","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"6662","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_workstation","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2012-6662","qid":"980932","title":"Nodejs (npm) Security Update for jquery-ui (GHSA-qqxp-xp9v-vvx6)"},{"cve":"CVE-2012-6662","qid":"995420","title":"Java (Maven) Security Update for org.webjars.npm:jquery-ui (GHSA-qqxp-xp9v-vvx6)"},{"cve":"CVE-2012-6662","qid":"995437","title":"DotNet (Nuget) Security Update for jQuery.UI.Combined (GHSA-qqxp-xp9v-vvx6)"},{"cve":"CVE-2012-6662","qid":"995446","title":"Rubygems (Rubygems) Security Update for jquery-ui-rails (GHSA-qqxp-xp9v-vvx6)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2012-6662","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/jquery/jquery/issues/2432","refsource":"MISC","url":"https://github.com/jquery/jquery/issues/2432"},{"name":"RHSA-2015:0442","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2015-0442.html"},{"name":"http://bugs.jqueryui.com/ticket/8861","refsource":"CONFIRM","url":"http://bugs.jqueryui.com/ticket/8861"},{"name":"jqueryui-cve20126662-xss(98697)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/98697"},{"name":"[oss-security] 20141114 Re: old CVE assignments for JQuery 1.10.0","refsource":"MLIST","url":"http://seclists.org/oss-sec/2014/q4/616"},{"name":"https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde","refsource":"CONFIRM","url":"https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde"},{"name":"RHSA-2015:1462","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2015-1462.html"},{"name":"http://bugs.jqueryui.com/ticket/8859","refsource":"CONFIRM","url":"http://bugs.jqueryui.com/ticket/8859"},{"name":"71107","refsource":"BID","url":"http://www.securityfocus.com/bid/71107"},{"name":"[oss-security] 20141114 old CVE assignments for JQuery 1.10.0","refsource":"MLIST","url":"http://seclists.org/oss-sec/2014/q4/613"},{"name":"https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e","refsource":"CONFIRM","url":"https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e"}]}},"nvd":{"publishedDate":"2014-11-24 16:59:00","lastModifiedDate":"2018-07-14 01:29:00","problem_types":["CWE-79"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jqueryui:jquery_ui:1.10.0:rc1:*:*:*:jquery:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2012","CveId":"6662","Ordinal":"75921","Title":"CVE-2012-6662","CVE":"CVE-2012-6662","Year":"2012"},"notes":[{"CveYear":"2012","CveId":"6662","Ordinal":"1","NoteData":"Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.","Type":"Description","Title":null},{"CveYear":"2012","CveId":"6662","Ordinal":"2","NoteData":"2014-11-24","Type":"Other","Title":"Published"},{"CveYear":"2012","CveId":"6662","Ordinal":"3","NoteData":"2018-07-13","Type":"Other","Title":"Modified"}]}}}