Two more brand new jquery-ui-rails advisories

rubysec · Sep 27, 2023 · 9fd6a2a · 9fd6a2a
1 parent 1da4d6d
commit 9fd6a2a
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/gems/jquery-ui-rails/CVE-2010-5312.yml b/gems/jquery-ui-rails/CVE-2010-5312.yml
@@ -0,0 +1,44 @@
+---
+gem: jquery-ui-rails
+cve: 2010-5312
+ghsa: wcm2-9c89-wmfm
+url: https://nvd.nist.gov/vuln/detail/CVE-2010-5312
+title: Cross-site Scripting in jquery-ui
+date: 2017-10-24
+description: |
+  Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in
+  the Dialog widget in jQuery UI before 1.10.0 allows remote attackers
+  to inject arbitrary web script or HTML via the title option.
+cvss_v2: 4.3
+cvss_v3: 6.1
+patched_versions:
+  - ">= 4.0.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2010-5312
+    - https://github.com/jquery-ui-rails/jquery-ui-rails/commit/61a8e3f50796118e9f49fbd224b67d4065b40c50
+    - http://bugs.jqueryui.com/ticket/6016
+    - https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
+    - https://security.netapp.com/advisory/ntap-20190416-0007
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/98696
+    - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f
+    - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442
+    - http://rhn.redhat.com/errata/RHSA-2015-0442.html
+    - http://rhn.redhat.com/errata/RHSA-2015-1462.html
+    - http://seclists.org/oss-sec/2014/q4/613
+    - http://seclists.org/oss-sec/2014/q4/616
+    - http://www.debian.org/security/2015/dsa-3249
+    - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc
+    - https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
+    - https://www.drupal.org/sa-core-2022-002
+    - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f
+    - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442
+    - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc
+    - https://lists.fedoraproject.org/archives/list/package-announce
+    - https://lists.fedoraproject.org/archives/list/package-announce
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
+    - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
+    - https://web.archive.org/web/20150316023043/http://www.securityfocus.com/bid/71106
+    - https://web.archive.org/web/20170316161850/http://www.securitytracker.com/id/1037035
+    - https://github.com/advisories/GHSA-wcm2-9c89-wmfm
diff --git a/gems/jquery-ui-rails/CVE-2012-6662.yml b/gems/jquery-ui-rails/CVE-2012-6662.yml
@@ -0,0 +1,32 @@
+---
+gem: jquery-ui-rails
+cve: 2012-6662
+ghsa: qqxp-xp9v-vvx6
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-6662
+title: Moderate severity vulnerability that affects jquery-ui
+date: 2017-10-24
+description: |
+  Cross-site scripting (XSS) vulnerability in the default content option
+  in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before
+  1.10.0 allows remote attackers to inject arbitrary web script or
+  HTML via the title attribute, which is not properly handled in the
+  autocomplete combo box demo.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 4.0.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-6662
+    - https://github.com/jquery-ui-rails/jquery-ui-rails/commit/61a8e3f50796118e9f49fbd224b67d4065b40c50
+    - https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde
+    - https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e
+    - http://bugs.jqueryui.com/ticket/8859
+    - http://bugs.jqueryui.com/ticket/8861
+    - https://github.com/jquery/jquery/issues/2432
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/98697
+    - http://rhn.redhat.com/errata/RHSA-2015-0442.html
+    - http://rhn.redhat.com/errata/RHSA-2015-1462.html
+    - http://seclists.org/oss-sec/2014/q4/613
+    - http://seclists.org/oss-sec/2014/q4/616
+    - http://www.securityfocus.com/bid/71107
+    - https://github.com/advisories/GHSA-qqxp-xp9v-vvx6