Cross-site Scripting (XSS)

Affecting jquery package, versions <1.9.0 >=1.7.1

medium severity

Overview

jquery is JavaScript library for DOM operations.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In the vulnerable version, jQuery determined whether the input was HTML or not by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct malicious payload.

In the fixed versions, jQuery only deems the input to be HTML if it explicitly starts with '<', limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Remediation

Upgrade jquery to version 1.9.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Richard Gibson
CVE
CVE-2012-6708
CWE
CWE-79
Snyk ID
npm:jquery:20120206
Disclosed
19 Jun, 2012
Published
20 Oct, 2016