Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution. References: https://bugs.jquery.com/ticket/11290 https://bugs.jquery.com/ticket/12531 https://bugs.jquery.com/ticket/6429 https://bugs.jquery.com/ticket/9521 https://nodesecurity.io/advisories/329
Created js-jquery tracking bugs for this issue: Affects: fedora-all [bug 1591846] Created js-jquery1 tracking bugs for this issue: Affects: fedora-all [bug 1591842] Created js-jquery2 tracking bugs for this issue: Affects: fedora-all [bug 1591844] Created python-XStatic-jQuery tracking bugs for this issue: Affects: epel-7 [bug 1591849] Affects: fedora-all [bug 1591841] Created python-tw2-jquery tracking bugs for this issue: Affects: epel-all [bug 1591845] Affects: fedora-all [bug 1591843] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-all [bug 1591847]
Marking OpenStack not affected, due to the packaged version being at least 1.10.1 across all releases. Per the advisory, the patch is present in 1.9.0+
Renamed from CVE-2017-16011 to CVE-2012-6708 (see https://nvd.nist.gov/vuln/detail/CVE-2017-16011)
External References: https://snyk.io/vuln/npm:jquery:20120206
Upstream fix: https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d