CVE-2012-6662: XSS
First published: Mon Nov 24 2014(Updated: )
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/jQuery.UI.Combined | <1.10.0 | 1.10.0 |
| maven/org.webjars.npm:jquery-ui | <1.10.0 | 1.10.0 |
| rubygems/jquery-ui-rails | <4.0.0 | 4.0.0 |
| npm/jquery-ui | <1.10.0 | 1.10.0 |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| jQuery UI | =1.10.0-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2012-6662
- https://github.com/jquery/jquery/issues/2432
- https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e
- https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98697
- https://github.com/advisories/GHSA-qqxp-xp9v-vvx6 (Advisory)
- http://bugs.jqueryui.com/ticket/8859
- http://bugs.jqueryui.com/ticket/8861
- http://rhn.redhat.com/errata/RHSA-2015-0442.html
- http://rhn.redhat.com/errata/RHSA-2015-1462.html
- http://seclists.org/oss-sec/2014/q4/613
- http://seclists.org/oss-sec/2014/q4/616
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2012-6662.yml
- http://www.securityfocus.com/bid/71107
Frequently Asked Questions
What is the severity of CVE-2012-6662?
CVE-2012-6662 has a medium severity rating due to its potential for cross-site scripting attacks.
How do I fix CVE-2012-6662?
To remediate CVE-2012-6662, upgrade to jQuery UI version 1.10.0 or later.
What causes the vulnerability in CVE-2012-6662?
The vulnerability in CVE-2012-6662 is caused by improper handling of the title attribute in the tooltip functionality of jQuery UI.
Which software is affected by CVE-2012-6662?
CVE-2012-6662 affects versions of jQuery UI prior to 1.10.0 and various packages such as jQuery.UI.Combined and jquery-ui-rails.
Is there a known exploit for CVE-2012-6662?
Yes, CVE-2012-6662 can be exploited by remote attackers injecting arbitrary web scripts through the title attribute.
- collector/github-advisory-latest
- alias/GHSA-qqxp-xp9v-vvx6
- alias/CVE-2012-6662
- collector/github-advisory
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/nuget
- package-manager/maven
- package-manager/rubygems
- package-manager/npm
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/jqueryui
- canonical/jquery ui
- version/jquery ui/1.10.0-rc1