Vulnerability Details : CVE-2012-6662
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-6662
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:jqueryui:jquery_ui:1.10.0:rc1:*:*:*:jquery:*:*
Threat overview for CVE-2012-6662
Top countries where our scanners detected CVE-2012-6662
Top open port discovered on systems with this issue
80
IPs affected by CVE-2012-6662 89
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2012-6662!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-6662
6.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-6662
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-6662
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-6662
-
http://www.securityfocus.com/bid/71107
JQuery 'combobox.html' Cross Site Scripting Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2015-1462.html
RHSA-2015:1462 - Security Advisory - Red Hat Customer Portal
-
http://bugs.jqueryui.com/ticket/8861
#8861 (Tooltip: XSS vulnerability in default content) – jQuery UIIssue Tracking;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/98697
jQuery UI default content cross-site scripting CVE-2012-6662 Vulnerability Report
-
http://seclists.org/oss-sec/2014/q4/616
oss-sec: Re: old CVE assignments for JQuery 1.10.0Third Party Advisory;VDB Entry
-
https://github.com/jquery/jquery/issues/2432
Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses · Issue #2432 · jquery/jquery · GitHub
-
http://bugs.jqueryui.com/ticket/8859
#8859 (Autocomplete: XSS in combobox demo) – jQuery UIIssue Tracking;Vendor Advisory
-
http://seclists.org/oss-sec/2014/q4/613
oss-sec: old CVE assignments for JQuery 1.10.0Third Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2015-0442.html
RHSA-2015:0442 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde
Tooltip: Escape the title attribute so that it's treated as text and … · jquery/jquery-ui@f285440 · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e
Autocomplete demo: Combobox: Encode search term inside tooltips. Fixe… · jquery/jquery-ui@5fee6fd · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to