CVE-2012-6662 — jquery-ui Tooltip widget vulnerable to XSS

Description

Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

How to fix CVE-2012-6662

To remediate CVE-2012-6662, upgrade the affected package to a fixed version below.

Debian/jqueryui—upgrade to 1.10.1+dfsg-1 or later
Maven/org.webjars.npm:jquery-ui—upgrade to 1.10.0 or later
—upgrade to 1.10.0 or later
—upgrade to 1.10.0 or later
—upgrade to 4.0.0 or later

Is CVE-2012-6662 being exploited?

Moderate — EPSS is 7.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

from 0, < 1.10.1+dfsg-1
from 0, < 1.10.0
from 0, < 1.10.0
from 0, < 1.10.0
from 0, < 4.0.0

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6662
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-6662
PATCHgithub.com/jquery/jquery
WEBbugs.jqueryui.com/ticket/8859
WEBbugs.jqueryui.com/ticket/8861