CVE-2015-9251

MEDIUM

Description

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

http://seclists.org/fulldisclosure/2019/May/10

http://seclists.org/fulldisclosure/2019/May/11

http://seclists.org/fulldisclosure/2019/May/13

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/105658

https://access.redhat.com/errata/RHSA-2020:0481

https://access.redhat.com/errata/RHSA-2020:0729

https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

https://github.com/jquery/jquery/issues/2432

https://github.com/jquery/jquery/pull/2588

https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2

https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.roller.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://seclists.org/bugtraq/2019/May/18

https://security.netapp.com/advisory/ntap-20210108-0004/

https://snyk.io/vuln/npm:jquery:20150627

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.tenable.com/security/tns-2019-08

Details

Source: MITRE

Published: 2018-01-18

Updated: 2021-01-08

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 7.3.3 to 7.3.5 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from 8.0.5 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.6 (inclusive)

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.6 (inclusive)

cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.1 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from 4.3.0.1 to 4.3.0.4 (inclusive)

cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145873CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670)NessusCentOS Local Security Checks
medium
143080RHEL 7 : ipa (RHSA-2020:3936)NessusRed Hat Local Security Checks
medium
142435RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)NessusRed Hat Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
142058Pulse Connect Secure < 9.1R9 (SA44601)NessusMisc.
medium
142057Pulse Policy Secure < 9.1R9 (SA44601)NessusMisc.
medium
141974Amazon Linux 2 : ipa-client (ALAS-2020-1519)NessusAmazon Linux Local Security Checks
medium
141734Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141586CentOS 7 : ipa (CESA-2020:3936)NessusCentOS Local Security Checks
medium
140096Amazon Linux AMI : ruby24 (ALAS-2020-1422)NessusAmazon Linux Local Security Checks
high
135161openSUSE Security Update : ruby2.5 (openSUSE-2020-395)NessusSuSE Local Security Checks
medium
134824SUSE SLED15 / SLES15 Security Update : Recommended update for ruby2.5 (SUSE-SU-2020:0737-1)NessusSuSE Local Security Checks
medium
132936Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)NessusCGI abuses
high
131184Oracle Enterprise Manager Ops Center (Jan 2019 CPU)NessusMisc.
high
130589Oracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2019 CPU)NessusMisc.
medium
130012Oracle WebLogic Server Multiple Vulnerabilities (Oct 2019 CPU)NessusMisc.
medium
128404FreeBSD : RDoc -- multiple jQuery vulnerabilities (ed8d5535-ca78-11e9-980b-999ff59c22ea)NessusFreeBSD Local Security Checks
medium
126829Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU)NessusCGI abuses
high
126776Oracle Business Intelligence Publisher Multiple Vulnerabilities (Jul 2019 CPU)NessusMisc.
medium
125152JQuery < 3.0.0 XSSNessusCGI abuses : XSS
medium
124565IBM BigFix Platform 9.5.x < 9.5.12 Multiple VulnerabilitiesNessusWeb Servers
high
122657FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42)NessusFreeBSD Local Security Checks
medium
121257Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)NessusMisc.
high
112435jQuery 1.12.4 < 3.0.0 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium
112434jQuery 1.4.0 < 1.12.0 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium
118714Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2018 CPU)NessusCGI abuses
high