Fluid Attacks Database

Description

jquery-ui Tooltip widget vulnerable to XSS Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	jquery-ui-rails	>=0 <4.0.0	4.0.0
debian 12	jqueryui	>=0 <1.10.1+dfsg-1	1.10.1+dfsg-1
maven	org.webjars.npm:jquery-ui	>=0 <1.10.0	1.10.0
nuget	jquery.ui.combined	>=0 <1.10.0	1.10.0
debian 13	jqueryui	>=0 <1.10.1+dfsg-1	1.10.1+dfsg-1
debian 14	jqueryui	>=0 <1.10.1+dfsg-1	1.10.1+dfsg-1
npm	jquery-ui	>=0 <1.10.0	1.10.0
debian 11	jqueryui	>=0 <1.10.1+dfsg-1	1.10.1+dfsg-1
rpm rhel7	ipa	<0:4.1.0-18.el7	0:4.1.0-18.el7
rpm rhel6	ipa	<0:3.0.0-47.el6	0:3.0.0-47.el6

1-10 of 13

Aliases

1. CVE-2012-66622. NVD-2012-66623. OSV-2012-66624. OSV-DEBIAN-2012-66625. GCVE-2012-66626. SECURITY-TRACKER-CVE-2012-6662

References

1. https://github.com/jquery/jquery/issues/24322. https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e3. https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde4. https://exchange.xforce.ibmcloud.com/vulnerabilities/986975. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2012-6662.yml6. http://bugs.jqueryui.com/ticket/88597. http://bugs.jqueryui.com/ticket/88618. http://rhn.redhat.com/errata/RHSA-2015-0442.html9. http://rhn.redhat.com/errata/RHSA-2015-1462.html10. http://seclists.org/oss-sec/2014/q4/61311. http://seclists.org/oss-sec/2014/q4/616