Vulnerability Name:

CVE-2012-6662 (CCN-98697)

Assigned:2012-11-27
Published:2012-11-27
Updated:2018-07-14
Summary:Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
http://bugs.jqueryui.com/ticket/8859

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
http://bugs.jqueryui.com/ticket/8861

Source: MITRE
Type: CNA
CVE-2012-6662

Source: CCN
Type: jQuery Web site
jQuery UI 1.10.0 Changelog

Source: CCN
Type: RHSA-2015-0442
Moderate: ipa security, bug fix, and enhancement update

Source: REDHAT
Type: Third Party Advisory
RHSA-2015:0442

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1462

Source: CCN
Type: oss-security Mailing List, Fri, 14 Nov 2014 08:29:42 -0700
old CVE assignments for JQuery 1.10.0

Source: MLIST
Type: Third Party Advisory, VDB Entry
[oss-security] 20141114 old CVE assignments for JQuery 1.10.0

Source: CCN
Type: oss-security Mailing List, Fri, 14 Nov 2014 16:47:50 -0500 (EST)
Re: old CVE assignments for JQuery 1.10.0

Source: MLIST
Type: Third Party Advisory, VDB Entry
[oss-security] 20141114 Re: old CVE assignments for JQuery 1.10.0

Source: BID
Type: UNKNOWN
71107

Source: CCN
Type: BID-71107
JQuery 'combobox.html' Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
jqueryui-cve20126662-xss(98697)

Source: XF
Type: UNKNOWN
jqueryui-cve20126662-xss(98697)

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde

Source: MISC
Type: UNKNOWN
https://github.com/jquery/jquery/issues/2432

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2012-6662

Vulnerable Configuration:Configuration 1:
  • cpe:/o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:jqueryui:jquery_ui:1.10.0:rc1:*:*:*:jquery:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 9:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 10:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:jqueryui:jquery_ui:1.9.2:*:*:*:*:jquery:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux_hpc_node:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20151462
    P
    		RHSA-2015:1462: ipa security and bug fix update (Moderate)
    2015-07-22
    oval:com.redhat.rhsa:def:20150442
    P
    		RHSA-2015:0442: ipa security, bug fix, and enhancement update (Moderate)
    2015-03-05
    oval:com.ubuntu.precise:def:20126662000
    V
    		CVE-2012-6662 on Ubuntu 12.04 LTS (precise) - medium.
    2014-11-24
    oval:com.ubuntu.trusty:def:20126662000
    V
    		CVE-2012-6662 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-11-24
    BACK
    redhat enterprise linux desktop 7.0
    redhat enterprise linux hpc node 7.0
    redhat enterprise linux server 7.0
    redhat enterprise linux workstation 7.0
    jqueryui jquery ui 1.10.0 rc1
    jquery jquery ui 1.9.2
    redhat enterprise linux hpc node 7
    redhat enterprise linux desktop 7
    redhat enterprise linux server 7
    redhat enterprise linux workstation 7