Bug 1111661 - (CVE-2017-16011) VUL-0: CVE-2017-16011: python-XStatic-jQuery: js-jquery: XSS via improper selector detection
(CVE-2017-16011)
VUL-0: CVE-2017-16011: python-XStatic-jQuery: js-jquery: XSS via improper sel...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Jeremy Moffitt
Security Team bot
https://smash.suse.de/issue/207197/
CVSSv3.1:SUSE:CVE-2012-6708:6.8:(AV:...
:
Depends on:
Blocks: CVE-2012-6708
  Show dependency treegraph
 
Reported: 2018-10-12 13:39 UTC by Alexander Bergmann
Modified: 2022-09-21 09:08 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-10-12 13:39:58 UTC
rh#1591840

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

References:

https://bugs.jquery.com/ticket/11290
https://bugs.jquery.com/ticket/12531
https://bugs.jquery.com/ticket/6429
https://bugs.jquery.com/ticket/9521
https://nodesecurity.io/advisories/329

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1591840
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16011
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16011.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16011
https://bugs.jquery.com/ticket/6429
https://bugs.jquery.com/ticket/9521
https://nodesecurity.io/advisories/329
https://bugs.jquery.com/ticket/12531