Cross-site Scripting (XSS) Affecting org.webjars.npm:jquery package, versions [1.7.1,1.9.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
0.64% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-479779
  • published20 Oct 2016
  • disclosed19 Jun 2012
  • creditRichard Gibson

Introduced: 19 Jun 2012

CVE-2012-6708  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade org.webjars.npm:jquery to version 1.9.0 or higher.

Overview

org.webjars.npm:jquery is a JavaScript library. It makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In the vulnerable version, jQuery determined whether the input was HTML or not by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct malicious payload.

In the fixed versions, jQuery only deems the input to be HTML if it explicitly starts with '<', limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Note: CVE-2017-16011 is a duplicate of CVE-2012-6708

Details

CVSS Scores

version 3.1