CVE-2015-9251

CWE-79 — Cross-site Scripting (XSS)CWE-400 — Uncontrolled Resource Consumption24 documents11 sources

Severity

6.1MEDIUM

EPSS

27.2%

top 3.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jquery Jquery Oracle Communications Converged Application Server Oracle Communications Services Gatekeeper +44 more

Timeline

PublishedJan 18

Latest updateJul 15

Description

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages52 packages

▶NuGetjQuery1.12.3 — 3.0.0+1

▶npmjquery1.12.3 — 3.0.0+1

▶RubyGemsjquery-rails< 4.2.0

▶NVDjquery/jquery< 3.0.0

▶Mavenorg.webjars.npm:jquery1.12.3 — 3.0.0+1

Patches

Patch: www.oracle.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-Site Scripting (XSS) in jquery↗2018-01-22

▶

GHSA

Cross-Site Scripting (XSS) in jquery↗2018-01-22

▶

OSV

CVE-2015-9251: jQuery before 3↗2018-01-18

▶

CVEList

CVE-2015-9251: jQuery before 3↗2018-01-18

▶

VulnCheck

JQuery JQuery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2015

▶

📋Vendor Advisories

Oracle

Oracle Oracle Retail Applications Risk Matrix: Promotions (jQuery) — CVE-2015-9251↗2020-07-15

▶

Oracle

Oracle Oracle Knowledge Risk Matrix: Information Manager Console, Web Applications - InfoCenter (jQuery) — CVE-2015-9251↗2020-04-15

▶

Red Hat

libxml2: Infinite loop caused by incorrect error detection during LZMA decompression↗2018-04-03

▶

Drupal

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001↗2018-02-21

▶

Microsoft

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option causing text/javascript responses to be executed.↗2018-01-09

▶

💬Community

HackerOne

Ruby is shipping a vulnerable jQuery↗2019-10-03

▶

Bugzilla

CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression↗2018-08-22

▶

Bugzilla

CVE-2018-9251 libxml2: infinite loop in xz_decomp function in xzlib.c↗2018-04-09

▶

Bugzilla

CVE-2015-9251 CVE-2017-16012 python-tw2-jquery: various flaws [fedora-all]↗2016-11-29

▶

Bugzilla

CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests↗2016-11-29

▶