CVE-2012-6708
18.01.2018, 23:29
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| jquery | jquery | 𝑥 < 1.9.0 |
𝑥
= Vulnerable software versions
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libruby2_5-2_5 |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| ruby24 |
| ||
| ruby24-debuginfo |
| ||
| ruby24-devel |
| ||
| ruby24-doc |
| ||
| ruby24-irb |
| ||
| ruby24-libs |
| ||
| rubygem24-bigdecimal |
| ||
| rubygem24-did_you_mean |
| ||
| rubygem24-io-console |
| ||
| rubygem24-json |
| ||
| rubygem24-minitest5 |
| ||
| rubygem24-net-telnet |
| ||
| rubygem24-power_assert |
| ||
| rubygem24-psych |
| ||
| rubygem24-rdoc |
| ||
| rubygem24-test-unit |
| ||
| rubygem24-xmlrpc |
| ||
| rubygems24 |
| ||
| rubygems24-devel |
|
Azure Linux Releases
References