CVE-2012-6662

jquery-ui: XSS vulnerability in default content in Tooltip widget

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

Vulnerabilidad de XSS en la opción de contenido por defecto en jquery.ui.tooltip.js en el widget Tooltip en jQuery UI anterior a 1.10.0 permite a atacantes remotos inyectar secuencias de comandos web o HTMl arbitrarios a través del atributo del título, lo cual no se maneja debidamente en la demostración de cuadros combinados del autocompletado.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-11-14 CVE Reserved
2014-11-24 CVE Published
2024-07-06 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (13)

URL	Tag	Source
http://seclists.org/oss-sec/2014/q4/613	Mailing List
http://seclists.org/oss-sec/2014/q4/616	Mailing List
http://www.securityfocus.com/bid/71107	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/98697	Vdb Entry
https://github.com/jquery/jquery/issues/2432	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e	2018-07-14
https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde	2018-07-14

URL	Date	SRC
http://bugs.jqueryui.com/ticket/8859	2018-07-14
http://bugs.jqueryui.com/ticket/8861	2018-07-14
http://rhn.redhat.com/errata/RHSA-2015-0442.html	2018-07-14
http://rhn.redhat.com/errata/RHSA-2015-1462.html	2018-07-14
https://access.redhat.com/security/cve/CVE-2012-6662	2015-07-21
https://bugzilla.redhat.com/show_bug.cgi?id=1166064	2015-07-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Hpc Node Search vendor "Redhat" for product "Enterprise Linux Hpc Node"				7.0 Search vendor "Redhat" for product "Enterprise Linux Hpc Node" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Jqueryui Search vendor "Jqueryui"		Jquery Ui Search vendor "Jqueryui" for product "Jquery Ui"				1.10.0 Search vendor "Jqueryui" for product "Jquery Ui" and version "1.10.0"		rc1, jquery		Affected