Bug 1591840 (CVE-2012-6708) - CVE-2012-6708 js-jquery: XSS via improper selector detection
Summary: CVE-2012-6708 js-jquery: XSS via improper selector detection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-6708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1591841 1591843 1591845 1591849 1591842 1591844 1591846 1591847 1591848 1591850 1591851 1610362 1610363 1610364 1610365 1610366 1610367 1610368 1610369 1610370
Blocks: 1591852 2014197
TreeView+ depends on / blocked
 
Reported: 2018-06-15 17:14 UTC by Pedro Sampaio
Modified: 2021-10-21 19:53 UTC (History)
69 users (show)

Fixed In Version: js-jquery 1.9.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-21 19:53:24 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2018-06-15 17:14:55 UTC
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

References:

https://bugs.jquery.com/ticket/11290
https://bugs.jquery.com/ticket/12531
https://bugs.jquery.com/ticket/6429
https://bugs.jquery.com/ticket/9521
https://nodesecurity.io/advisories/329

Comment 1 Pedro Sampaio 2018-06-15 17:16:44 UTC
Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1591846]


Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1591842]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1591844]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1591849]
Affects: fedora-all [bug 1591841]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-all [bug 1591845]
Affects: fedora-all [bug 1591843]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1591847]

Comment 3 James Hebden 2018-06-20 08:14:01 UTC
Marking OpenStack not affected, due to the packaged version being at least 1.10.1 across all releases. Per the advisory, the patch is present in 1.9.0+

Comment 4 Cedric Buissart 2018-07-13 10:53:27 UTC
Renamed from CVE-2017-16011 to CVE-2012-6708 (see https://nvd.nist.gov/vuln/detail/CVE-2017-16011)

Comment 5 Cedric Buissart 2018-07-13 11:00:04 UTC
External References:

https://snyk.io/vuln/npm:jquery:20120206


Note You need to log in before you can comment on or make changes to this bug.