CVE-2012-6662 - OpenCVE

Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Desktop Enterprise Linux Workstation Enterprise Linux Hpc Node Enterprise Linux Server
Jqueryui	Jquery Ui

Configuration 1 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 2 [-]

cpe:2.3:a:jqueryui:jquery_ui:1.10.0:rc1:*:*:*:jquery:*:*

References

Link	Resource
http://bugs.jqueryui.com/ticket/8859	Issue Tracking Vendor Advisory
http://bugs.jqueryui.com/ticket/8861	Issue Tracking Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0442.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1462.html
http://seclists.org/oss-sec/2014/q4/613	Third Party Advisory VDB Entry
http://seclists.org/oss-sec/2014/q4/616	Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/71107
https://exchange.xforce.ibmcloud.com/vulnerabilities/98697
https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e	Patch Issue Tracking Third Party Advisory
https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde	Patch Issue Tracking Third Party Advisory
https://github.com/jquery/jquery/issues/2432

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-11-24T16:00:00

Updated: 2018-07-13T14:57:01

Reserved: 2014-11-14T00:00:00

Link: CVE-2012-6662

JSON object: View

NVD Information

Status : Modified

Published: 2014-11-24T16:59:01.993

Modified: 2018-07-14T01:29:00.267

Link: CVE-2012-6662

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-13T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/jquery/jquery/issues/2432"}, {"name": "RHSA-2015:0442", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0442.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.jqueryui.com/ticket/8861"}, {"name": "jqueryui-cve20126662-xss(98697)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98697"}, {"name": "[oss-security] 20141114 Re: old CVE assignments for JQuery 1.10.0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q4/616"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde"}, {"name": "RHSA-2015:1462", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1462.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.jqueryui.com/ticket/8859"}, {"name": "71107", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/71107"}, {"name": "[oss-security] 20141114 old CVE assignments for JQuery 1.10.0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q4/613"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2012-6662", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jquery/jquery/issues/2432", "refsource": "MISC", "url": "https://github.com/jquery/jquery/issues/2432"}, {"name": "RHSA-2015:0442", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0442.html"}, {"name": "http://bugs.jqueryui.com/ticket/8861", "refsource": "CONFIRM", "url": "http://bugs.jqueryui.com/ticket/8861"}, {"name": "jqueryui-cve20126662-xss(98697)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98697"}, {"name": "[oss-security] 20141114 Re: old CVE assignments for JQuery 1.10.0", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q4/616"}, {"name": "https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde", "refsource": "CONFIRM", "url": "https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde"}, {"name": "RHSA-2015:1462", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1462.html"}, {"name": "http://bugs.jqueryui.com/ticket/8859", "refsource": "CONFIRM", "url": "http://bugs.jqueryui.com/ticket/8859"}, {"name": "71107", "refsource": "BID", "url": "http://www.securityfocus.com/bid/71107"}, {"name": "[oss-security] 20141114 old CVE assignments for JQuery 1.10.0", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q4/613"}, {"name": "https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e", "refsource": "CONFIRM", "url": "https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2012-6662", "datePublished": "2014-11-24T16:00:00", "dateReserved": "2014-11-14T00:00:00", "dateUpdated": "2018-07-13T14:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "3C84489B-B08C-4854-8A12-D01B6E45CF79", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jqueryui:jquery_ui:1.10.0:rc1:*:*:*:jquery:*:*", "matchCriteriaId": "458843F0-2EAD-4E60-B3A6-6859A690173C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo."}, {"lang": "es", "value": "Vulnerabilidad de XSS en la opci\u00f3n de contenido por defecto en jquery.ui.tooltip.js en el widget Tooltip en jQuery UI anterior a 1.10.0 permite a atacantes remotos inyectar secuencias de comandos web o HTMl arbitrarios a trav\u00e9s del atributo del t\u00edtulo, lo cual no se maneja debidamente en la demostraci\u00f3n de cuadros combinados del autocompletado."}], "id": "CVE-2012-6662", "lastModified": "2018-07-14T01:29:00.267", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-11-24T16:59:01.993", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "http://bugs.jqueryui.com/ticket/8859"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "http://bugs.jqueryui.com/ticket/8861"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0442.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-1462.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://seclists.org/oss-sec/2014/q4/613"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://seclists.org/oss-sec/2014/q4/616"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/71107"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98697"}, {"source": "cve@mitre.org", "tags": ["Patch", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e"}, {"source": "cve@mitre.org", "tags": ["Patch", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde"}, {"source": "cve@mitre.org", "url": "https://github.com/jquery/jquery/issues/2432"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}