VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 18, 2018· Updated Aug 6, 2024

CVE-2012-6708

CVE-2012-6708

Description

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

jQuery before 1.9.0 incorrectly treats any string containing '<' as HTML, enabling XSS when attacker-controlled input is passed to the $() function.

Vulnerability

jQuery versions prior to 1.9.0 are vulnerable to Cross-site Scripting (XSS) because the jQuery(strInput) function does not reliably differentiate between CSS selectors and HTML markup. In vulnerable versions, jQuery treats any string containing a '<' character as HTML, making it possible for an attacker to inject arbitrary script tags if they can control the input passed to $(). The fixed version, jQuery 1.9.0, only interprets the input as HTML if it explicitly starts with a '<' character, significantly reducing the attack surface [1][2].

Exploitation

An attacker needs to control a string that is passed to the jQuery $() function, for example via $(location.hash) where the hash fragment can include HTML. In vulnerable versions, even if the '<' character appears anywhere in the string (not just at the beginning), jQuery will evaluate it as HTML. A proof-of-concept is available as a jsfiddle demonstrating the attack [1]. The attacker does not require authentication, but expects that the victim's application passes untrusted data to the $() function without sanitization.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session, leading to potential data theft, session hijacking, or other malicious actions. The attack is reflected or stored depending on how the malicious input is delivered and processed, but the core impact is a Cross-site Scripting (XSS) vulnerability, with a CVSS base score of 6.1 (Medium) according to NVD [2].

Mitigation

Upgrade to jQuery version 1.9.0 or later, where the fix is implemented. Versions 2.x and 1.x are no longer supported, and users on unsupported branches should upgrade to the latest supported release to receive security updates [3]. No public evidence of this CVE being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.

References
  1. #9521 (XSS with $(location.hash) and $(#<tag>) is needed?) - jQuery
  2. NVD - CVE-2012-6708
  3. GitHub - jquery/jquery: jQuery JavaScript Library

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jquerynpm
< 1.9.01.9.0
org.webjars.npm:jqueryMaven
< 1.9.01.9.0
jQueryNuGet
< 1.9.01.9.0
jquery-railsRubyGems
< 2.2.02.2.0

Affected products

9

Patches

1
05531fc4080a

Adjust jQuery('html') detection to only match when html starts with '<' (not counting space characters). Fixes #11290.

https://github.com/jquery/jquerytimmywilJun 20, 2012via ghsa
commit
5 files changed · +21 12
  • src/core.js+2 1 modified
    @@ -49,7 +49,8 @@ var
 
 	// A simple way to check for HTML strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*|#([\w-]*))$/,
+	// Strict HTML recognition (#11290: must start with <)
+	rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 	// Match a standalone tag
 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/,
  • src/sizzle+1 1 modified
    @@ -1 +1 @@
-Subproject commit 20ad5f811e22bf8528d8c33f0e7966fdb461c55a
+Subproject commit 8c6ed151bdfd03b8a8ec3707963caada8e73d041
  • test/unit/core.js+4 8 modified
    @@ -27,7 +27,7 @@ test("jQuery()", function() {
 		div = jQuery("<div/><hr/><code/><b/>"),
 		exec = false,
 		lng = "",
-		expected = 26,
+		expected = 22,
 		attrObj = {
 			"click": function() { ok( exec, "Click executed." ); },
 			"text": "test",
@@ -139,15 +139,9 @@ test("jQuery()", function() {
 	// manually clean up detached elements
 	elem.remove();
 
-	equal( jQuery(" <div/> ").length, 1, "Make sure whitespace is trimmed." );
-	equal( jQuery(" a<div/>b ").length, 1, "Make sure whitespace and other characters are trimmed." );
-
 	for ( i = 0; i < 128; i++ ) {
 		lng += "12345678";
 	}
-
-	equal( jQuery(" <div>" + lng + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );
-	equal( jQuery(" a<div>" + lng + "</div>b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." );
 });
 
 test( "selector state", function() {
@@ -1206,7 +1200,7 @@ test("jQuery.proxy", function(){
 });
 
 test("jQuery.parseHTML", function() {
-	expect( 12 );
+	expect( 13 );
 
 	var html, nodes;
 
@@ -1231,6 +1225,8 @@ test("jQuery.parseHTML", function() {
 
 	equal( jQuery.parseHTML("text")[0].nodeType, 3, "Parsing text returns a text node" );
 	equal( jQuery.parseHTML( "\t<div></div>" )[0].nodeValue, "\t", "Preserve leading whitespace" );
+
+	equal( jQuery.parseHTML(" <div/> ")[0].nodeType, 3, "Leading spaces are treated as text nodes (#11290)" );
 });
 
 test("jQuery.parseJSON", function(){
  • test/unit/selector.js+13 1 modified
    @@ -17,7 +17,7 @@ test("element - jQuery only", function() {
 	ok( jQuery("#length").length, "<input name=\"length\"> cannot be found under IE, see #945" );
 	ok( jQuery("#lengthtest input").length, "<input name=\"length\"> cannot be found under IE, see #945" );
 
-	//#7533
+	// #7533
 	equal( jQuery("<div id=\"A'B~C.D[E]\"><p>foo</p></div>").find("p").length, 1, "Find where context root is a node and has an ID with CSS3 meta characters" );
 });
 
@@ -77,6 +77,18 @@ test("disconnected nodes", function() {
 	equal( $div.is("div"), true, "Make sure .is('nodeName') works on disconnect nodes." );
 });
 
+test("jQuery only - broken", 1, function() {
+	raises(function() {
+		// Setting context to null here somehow avoids QUnit's window.error handling
+		// making the e & e.message correct
+		// For whatever reason, without this,
+		// Sizzle.error will be called but no error will be seen in oldIE
+		jQuery.call( null, " <div/> " );
+	}, function( e ) {
+		return e.message.indexOf("Syntax error") >= 0;
+	}, "leading space invalid: $(' <div/> ')" );
+});
+
 testIframe("selector/html5_selector", "attributes - jQuery.attr", function( jQuery, window, document ) {
 	expect( 35 );
  • test/unit/traversing.js+1 1 modified
    @@ -114,7 +114,7 @@ test("is() with positional selectors", function() {
 				"<p id='posp'><a class='firsta' href='#'><em>first</em></a><a class='seconda' href='#'><b>test</b></a><em></em></p>"
 			).appendTo( "body" ),
 		isit = function(sel, match, expect) {
-			equal( jQuery( sel ).is( match ), expect, "jQuery( " + sel + " ).is( " + match + " )" );
+			equal( jQuery( sel ).is( match ), expect, "jQuery('" + sel + "').is('" + match + "')" );
 		};
 
 	isit( "#posp", "#posp:first", true );

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

26

News mentions

0

No linked articles in our index yet.