CVE-2015-9251

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

http://seclists.org/fulldisclosure/2019/May/10

http://seclists.org/fulldisclosure/2019/May/11

http://seclists.org/fulldisclosure/2019/May/13

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/105658

https://access.redhat.com/errata/RHSA-2020:0481

https://access.redhat.com/errata/RHSA-2020:0729

https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

https://github.com/jquery/jquery/issues/2432

https://github.com/jquery/jquery/pull/2588

https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2

https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.roller.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://seclists.org/bugtraq/2019/May/18

https://security.netapp.com/advisory/ntap-20210108-0004/

https://snyk.io/vuln/npm:jquery:20150627

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.tenable.com/security/tns-2019-08

Details

Source: MITRE

Published: 2018-01-18

Updated: 2021-01-08

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 7.3.3 to 7.3.5 (inclusive)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from 8.0.5 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.6 (inclusive)

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.7 (inclusive)

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from 8.0.4 to 8.0.6 (inclusive)

cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.1 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from 4.3.0.1 to 4.3.0.4 (inclusive)

cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

Tenable Plugins

View all (29 total)

IDNameProductFamilySeverity
154342Oracle GoldenGate (Oct 2021 CPU)NessusMisc.
medium
147251NewStart CGSL CORE 5.04 / MAIN 5.04 : ipa Multiple Vulnerabilities (NS-SA-2021-0045)NessusNewStart CGSL Local Security Checks
medium
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145873CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670)NessusCentOS Local Security Checks
medium
143080RHEL 7 : ipa (RHSA-2020:3936)NessusRed Hat Local Security Checks
medium
142435RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)NessusRed Hat Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
142058Pulse Connect Secure < 9.1R9 (SA44601)NessusMisc.
high
142057Pulse Policy Secure < 9.1R9 (SA44601)NessusMisc.
high
141974Amazon Linux 2 : ipa-client (ALAS-2020-1519)NessusAmazon Linux Local Security Checks
medium
141734Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141586CentOS 7 : ipa (CESA-2020:3936)NessusCentOS Local Security Checks
medium
140096Amazon Linux AMI : ruby24 (ALAS-2020-1422)NessusAmazon Linux Local Security Checks
high
135161openSUSE Security Update : ruby2.5 (openSUSE-2020-395)NessusSuSE Local Security Checks
medium
134824SUSE SLED15 / SLES15 Security Update : Recommended update for ruby2.5 (SUSE-SU-2020:0737-1)NessusSuSE Local Security Checks
medium
132936Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)NessusCGI abuses
critical
131184Oracle Enterprise Manager Ops Center (Jan 2019 CPU)NessusMisc.
critical
130589Oracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2019 CPU)NessusMisc.
high
130012Oracle WebLogic Server Multiple Vulnerabilities (Oct 2019 CPU)NessusMisc.
high
128404FreeBSD : RDoc -- multiple jQuery vulnerabilities (ed8d5535-ca78-11e9-980b-999ff59c22ea)NessusFreeBSD Local Security Checks
medium
126829Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU)NessusCGI abuses
critical
126776Oracle Business Intelligence Publisher Multiple Vulnerabilities (Jul 2019 CPU)NessusMisc.
high
125152JQuery < 3.0.0 XSSNessusCGI abuses : XSS
medium
124565IBM BigFix Platform 9.5.x < 9.5.12 Multiple VulnerabilitiesNessusWeb Servers
critical
122657FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42)NessusFreeBSD Local Security Checks
medium
121257Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)NessusMisc.
critical
112435jQuery 1.12.4 < 3.0.0 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium
112434jQuery 1.4.0 < 1.12.0 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium
118714Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2018 CPU)NessusCGI abuses
critical