Vulnerability Name:

CVE-2012-6662

Assigned:2012-11-27
Published:2012-11-27
Updated:2018-07-13
Summary:Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
References:Source: CONFIRM
Type: VENDOR_ADVISORY
http://bugs.jqueryui.com/ticket/8859

Source: CONFIRM
Type: VENDOR_ADVISORY
http://bugs.jqueryui.com/ticket/8861

Source: REDHAT
Type: VENDOR_ADVISORY
RHSA-2015:0442

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1462

Source: MLIST
Type: VENDOR_ADVISORY
[oss-security] 20141114 old CVE assignments for JQuery 1.10.0

Source: MLIST
Type: VENDOR_ADVISORY
[oss-security] 20141114 Re: old CVE assignments for JQuery 1.10.0

Source: BID
Type: UNKNOWN
71107

Source: XF
Type: UNKNOWN
jqueryui-cve20126662-xss(98697)

Source: CONFIRM
Type: VENDOR_ADVISORY
https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e

Source: CONFIRM
Type: VENDOR_ADVISORY
https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde

Source: MISC
Type: UNKNOWN
https://github.com/jquery/jquery/issues/2432

Vulnerable Configuration:Configuration 1:
  • cpe:/o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:jqueryui:jquery_ui:1.10.0:rc1:~~~jquery~~:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20150442
    P
    RHSA-2015:0442: ipa security, bug fix, and enhancement update (Moderate)
    2015-03-05
    oval:com.redhat.rhsa:def:20151462
    P
    RHSA-2015:1462: ipa security and bug fix update (Moderate)
    2015-03-04
    oval:com.ubuntu.precise:def:20126662000
    V
    CVE-2012-6662 on Ubuntu 12.04 LTS (precise) - medium.
    2014-11-24
    oval:com.ubuntu.trusty:def:20126662000
    V
    CVE-2012-6662 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-11-24
    BACK
    redhat enterprise linux desktop 7.0
    redhat enterprise linux hpc node 7.0
    redhat enterprise linux server 7.0
    redhat enterprise linux workstation 7.0
    jqueryui jquery ui 1.10.0 rc1