According to https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jquery+1.12.4 and https://snyk.io/test/npm/jquery/1.12.4, I see that jQuery 1.12.4 has medium serevrity vulnerability.
I checked on exploit-db and searchsploit to see if there's known exploit, but can't find nothing. Has someone an idea about how to exploit?
It automatically executes JavaScript received on AJAX requests.
Consider this example, which performs a GET request to a URL that the user can input.
$.get($("input").val())
Now, if the user inputs https://sakurity.com/jqueryxss, jQuery will recognize that as being JavaScript (because of the content type header) and execute it automatically. Executing JavaScript from other domains is effectively XSS, so the executed JavaScript can take over the session or change the page appearance.
This is only exploitable if you can trigger an AJAX request to a malicious JavaScript file.
I wrote a blog post about this: Libraries that evaluate remote JavaScript
