GitHub Advisory DatabaseGHSA-QQXP-XP9V-VVX6jquery-ui Tooltip widget vulnerable to XSS
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.7%
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jquery.ui.combined | lt | 1.10.0 | |
| org.webjars.npm:jquery-ui | lt | 1.10.0 | |
| jquery-ui-rails | lt | 4.0.0 | |
| jquery-ui | lt | 1.10.0 |
References
bugs.jqueryui.com/ticket/8859
bugs.jqueryui.com/ticket/8861
rhn.redhat.com/errata/RHSA-2015-0442.html
rhn.redhat.com/errata/RHSA-2015-1462.html
seclists.org/oss-sec/2014/q4/613
seclists.org/oss-sec/2014/q4/616
exchange.xforce.ibmcloud.com/vulnerabilities/98697
github.com/advisories/GHSA-qqxp-xp9v-vvx6
github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e
github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde
github.com/jquery/jquery/issues/2432
github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2012-6662.yml
nvd.nist.gov/vuln/detail/CVE-2012-6662
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.7%