Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1136683 - (CVE-2014-6071) CVE-2014-6071 jQuery: cross-site scripting flaw
CVE-2014-6071 jQuery: cross-site scripting flaw
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140902,repor...
: Security
Depends On:
Blocks: 1136684
  Show dependency treegraph
 
Reported: 2014-09-03 01:07 EDT by Murray McAllister
Modified: 2016-04-26 11:26 EDT (History)
55 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-04 00:44:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Murray McAllister 2014-09-03 01:07:11 EDT 
A cross-site scripting flaw was reported against jQuery 1.4.2:

http://seclists.org/fulldisclosure/2014/Sep/10

The original report notes to upgrade to version 1.11.1, which may include the fix.
Comment 1 Murray McAllister 2014-09-03 03:10:18 EDT 
It looks likely that this issue is not an issue at all, but investigations are still ongoing.
Comment 2 Murray McAllister 2014-09-04 00:44:56 EDT 
The proof of concept in the full disclosure post is not an exploit that can be run against a target as it suggests. What it is in fact is a known bad-pattern with jquery where using text() inside after() can lead to DOM based XSS. For something to be vulnerable, they would have to follow this anti-pattern in a website that used jquery.

While this is still possible to get arbitary html into a page following this pattern with the current version of jquery, and the jquery documentation specifically states: [from http://api.jquery.com/after/]

"
By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example, <img onload="">). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. 
"

Jquery 1.6 and up (several years old now) actually added specific hardening that looks to block <script> tags.
Comment 3 Tomas Hoger 2014-09-08 15:11:25 EDT 
CVE-2014-6071 was assigned for this report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.