CVE-2012-6708
The MITRE CVE dictionary describes this issue as:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Find out more about CVE-2012-6708 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 6.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | None |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | katello-headpin | Will not fix |
| Red Hat Subscription Asset Manager 1 | ruby193-rubygemrui_alchemy-rails | Will not fix |
| Red Hat Subscription Asset Manager 1 | ruby193-rubygem-jquery-rails | Will not fix |
| Red Hat Subscription Asset Manager 1 | ruby193-rubygem-apipie-rails | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | python27-python-werkzeug | Affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-python36-python-coverage | Not affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | python27-python-coverage | Affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-ror50-rubygem-jquery-rails | Not affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-ror42-rubygem-simplecov-html | Affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-ror42-rubygem-jquery-rails | Not affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-python35-python-coverage | Not affected |
| Red Hat Satellite 6 | tfm-rubygem-jquery-ui-rails | Not affected |
| Red Hat Satellite 6 | ruby193-rubygem-jquery-ui-rails | Will not fix |
| Red Hat OpenStack Platform 9.0 | python-XStatic-jQuery | Not affected |
| Red Hat OpenStack Platform 13.0 (Queens) | python-XStatic-jQuery | Not affected |
| Red Hat OpenStack Platform 12.0 | python-XStatic-jQuery | Not affected |
| Red Hat OpenStack Platform 11.0 (Ocata) | python-XStatic-jQuery | Not affected |
| Red Hat OpenStack Platform 10 | python-XStatic-jQuery | Not affected |
| Red Hat Mobile Application Platform On-Premise 4 | millicore | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-XStatic-jQuery | Not affected |
| Red Hat Enterprise Linux 7 | ipa | Not affected |
| Red Hat Enterprise Linux 7 | pcp | Affected |
| Red Hat Enterprise Linux 7 | python-coverage | Affected |
| Red Hat Enterprise Linux 7 | pki-core | Not affected |
| Red Hat Enterprise Linux 7 | publican | Affected |
| Red Hat Enterprise Linux 7 | ipsilon | Not affected |
| Red Hat Enterprise Linux 6 | python-coverage | Will not fix |
| Red Hat Enterprise Linux 6 | ipa | Not affected |
| Red Hat Enterprise Linux 6 | python-weberror | Will not fix |
| Red Hat Enterprise Linux 6 | pcp | Affected |
External References
CVE description copyright © 2017, The MITRE Corporation