CVE-2015-9251

MEDIUM

Description

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

References

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html

http://seclists.org/fulldisclosure/2019/May/10

http://seclists.org/fulldisclosure/2019/May/11

http://seclists.org/fulldisclosure/2019/May/13

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/105658

https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

https://github.com/jquery/jquery/issues/2432

https://github.com/jquery/jquery/pull/2588

https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2

https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04

https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.roller.apache.org%3E

https://seclists.org/bugtraq/2019/May/18

https://snyk.io/vuln/npm:jquery:20150627

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Details

Source: MITRE

Published: 2018-01-18

Updated: 2019-06-10

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 7.3.3 to 7.3.5 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from 8.0.5 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.6 (inclusive)

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.6 (inclusive)

cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.1 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from 4.3.0.1 to 4.3.0.4 (inclusive)

cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

Tenable Plugins

View all (11 total)

ID	Name	Product	Family	Severity
130012	Oracle WebLogic Server Multiple Vulnerabilities (Oct 2019 CPU)	Nessus	Misc.	medium
128404	FreeBSD : RDoc -- multiple jQuery vulnerabilities (ed8d5535-ca78-11e9-980b-999ff59c22ea)	Nessus	FreeBSD Local Security Checks	medium
126829	Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU)	Nessus	CGI abuses	high
126776	Oracle Business Intelligence Publisher Multiple Vulnerabilities (Jul 2019 CPU)	Nessus	Windows	medium
125152	JQuery < 3.0.0 XSS	Nessus	CGI abuses : XSS	medium
124565	IBM BigFix Platform 9.5.x < 9.5.12 Multiple Vulnerabilities	Nessus	Web Servers	high
122657	FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	medium
121257	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	critical
112435	jQuery 1.12.4 < 3.0.0 Cross-Site Scripting	Web Application Scanning	Component Vulnerability	medium
112434	jQuery 1.4.0 < 1.12.0 Cross-Site Scripting	Web Application Scanning	Component Vulnerability	medium
118714	Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2018 CPU)	Nessus	CGI abuses	critical