The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Base Score: 4.3
Impact Score: 2.9
Exploitability Score: 8.6
Base Score: 6.1
Impact Score: 2.7
Exploitability Score: 2.8
|140096||Amazon Linux AMI : ruby24 (ALAS-2020-1422)||Nessus||Amazon Linux Local Security Checks|
|135161||openSUSE Security Update : ruby2.5 (openSUSE-2020-395)||Nessus||SuSE Local Security Checks|
|135011||JQuery < 1.9.0 XSS||Nessus||CGI abuses : XSS|
|134824||SUSE SLED15 / SLES15 Security Update : Recommended update for ruby2.5 (SUSE-SU-2020:0737-1)||Nessus||SuSE Local Security Checks|
|128404||FreeBSD : RDoc -- multiple jQuery vulnerabilities (ed8d5535-ca78-11e9-980b-999ff59c22ea)||Nessus||FreeBSD Local Security Checks|
|125483||F5 Networks BIG-IP : jQuery vulnerability (K62532311)||Nessus||F5 Networks Local Security Checks|
|124565||IBM BigFix Platform 9.5.x < 9.5.12 Multiple Vulnerabilities||Nessus||Web Servers|
|112432||jQuery 1.7.1 < 1.9.0 Cross-Site Scripting||Web Application Scanning||Component Vulnerability|