CVE-2015-9251MEDIUM
Description
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
References
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105658
https://access.redhat.com/errata/RHSA-2020:0481
https://access.redhat.com/errata/RHSA-2020:0729
https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc
https://github.com/jquery/jquery/issues/2432
https://github.com/jquery/jquery/pull/2588
https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2
https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.roller.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E
https://seclists.org/bugtraq/2019/May/18
https://security.netapp.com/advisory/ntap-20210108-0004/
https://snyk.io/vuln/npm:jquery:20150627
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Details
Source: MITRE
Published: 2018-01-18
Updated: 2021-01-08
Type: CWE-79
Risk Information
CVSS v2.0
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3.0
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact Score: 2.7
Exploitability Score: 2.8
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
Configuration 2
OR
cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 7.3.3 to 7.3.5 (inclusive)
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from 8.0.5 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.6 (inclusive)
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.6 (inclusive)
cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.1 to 17.12 (inclusive)
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from 4.3.0.1 to 4.3.0.4 (inclusive)
cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 145989 | CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847) | Nessus | CentOS Local Security Checks | medium |
| 145873 | CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670) | Nessus | CentOS Local Security Checks | medium |
| 143080 | RHEL 7 : ipa (RHSA-2020:3936) | Nessus | Red Hat Local Security Checks | medium |
| 142435 | RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670) | Nessus | Red Hat Local Security Checks | medium |
| 142409 | RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847) | Nessus | Red Hat Local Security Checks | medium |
| 142058 | Pulse Connect Secure < 9.1R9 (SA44601) | Nessus | Misc. | medium |
| 142057 | Pulse Policy Secure < 9.1R9 (SA44601) | Nessus | Misc. | medium |
| 141974 | Amazon Linux 2 : ipa-client (ALAS-2020-1519) | Nessus | Amazon Linux Local Security Checks | medium |
| 141734 | Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001) | Nessus | Scientific Linux Local Security Checks | medium |
| 141586 | CentOS 7 : ipa (CESA-2020:3936) | Nessus | CentOS Local Security Checks | medium |
| 140096 | Amazon Linux AMI : ruby24 (ALAS-2020-1422) | Nessus | Amazon Linux Local Security Checks | high |
| 135161 | openSUSE Security Update : ruby2.5 (openSUSE-2020-395) | Nessus | SuSE Local Security Checks | medium |
| 134824 | SUSE SLED15 / SLES15 Security Update : Recommended update for ruby2.5 (SUSE-SU-2020:0737-1) | Nessus | SuSE Local Security Checks | medium |
| 132936 | Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU) | Nessus | CGI abuses | high |
| 131184 | Oracle Enterprise Manager Ops Center (Jan 2019 CPU) | Nessus | Misc. | high |
| 130589 | Oracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2019 CPU) | Nessus | Misc. | medium |
| 130012 | Oracle WebLogic Server Multiple Vulnerabilities (Oct 2019 CPU) | Nessus | Misc. | medium |
| 128404 | FreeBSD : RDoc -- multiple jQuery vulnerabilities (ed8d5535-ca78-11e9-980b-999ff59c22ea) | Nessus | FreeBSD Local Security Checks | medium |
| 126829 | Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU) | Nessus | CGI abuses | high |
| 126776 | Oracle Business Intelligence Publisher Multiple Vulnerabilities (Jul 2019 CPU) | Nessus | Misc. | medium |
| 125152 | JQuery < 3.0.0 XSS | Nessus | CGI abuses : XSS | medium |
| 124565 | IBM BigFix Platform 9.5.x < 9.5.12 Multiple Vulnerabilities | Nessus | Web Servers | high |
| 122657 | FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42) | Nessus | FreeBSD Local Security Checks | medium |
| 121257 | Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU) | Nessus | Misc. | high |
| 112435 | jQuery 1.12.4 < 3.0.0 Cross-Site Scripting | Web Application Scanning | Component Vulnerability | medium |
| 112434 | jQuery 1.4.0 < 1.12.0 Cross-Site Scripting | Web Application Scanning | Component Vulnerability | medium |
| 118714 | Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2018 CPU) | Nessus | CGI abuses | high |