Vulnerability CVE-2015-9251


Published: 2018-01-18   Modified: 2018-01-19

Description:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
dotCMS 5.1.1 Vulnerable Dependencies
John Martinelli
11.05.2019
Low
OctoberCMS Insecure Dependencies
SECURELI.com
15.03.2020

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Oracle -> Healthcare foundation 
Oracle -> Retail invoice matching 
Oracle -> Healthcare translational research 
Oracle -> Retail sales audit 
Oracle -> Hospitality cruise fleet management 
Oracle -> Retail workforce management software 
Oracle -> Agile product lifecycle management for process 
Oracle -> Hospitality guest access 
Oracle -> Service bus 
Oracle -> Banking platform 
Oracle -> Hospitality materials control 
Oracle -> Siebel ui framework 
Oracle -> Business process management suite 
Oracle -> Hospitality reporting and analytics 
Oracle -> Utilities mobile workforce management 
Oracle -> Communications interactive session recorder 
Oracle -> Insurance insbridge rating and underwriting 
Oracle -> Webcenter sites 
Oracle -> Endeca information discovery studio 
Oracle -> Jd edwards enterpriseone tools 
Oracle -> Weblogic server 
Oracle -> Enterprise manager ops center 
Oracle -> Jdeveloper 
Oracle -> Utilities framework 
Oracle -> Enterprise operations monitor 
Oracle -> Oss support tools 
Oracle -> Financial services analytical applications infrastructure 
Oracle -> Peoplesoft enterprise peopletools 
Oracle -> Financial services asset liability management 
Oracle -> Primavera gateway 
Oracle -> Financial services funds transfer pricing 
Oracle -> Primavera unifier 
Oracle -> Financial services market risk measurement and management 
Oracle -> Real-time scheduler 
Oracle -> Financial services profitability management 
Oracle -> Retail allocation 
Oracle -> Financial services reconciliation framework 
Oracle -> Retail customer insights 
Oracle -> Fusion middleware mapviewer 
Jquery -> Jquery 

 References:
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105658
https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc
https://github.com/jquery/jquery/issues/2432
https://github.com/jquery/jquery/pull/2588
https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2
https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04
https://seclists.org/bugtraq/2019/May/18
https://snyk.io/vuln/npm:jquery:20150627
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Copyright 2021, cxsecurity.com

 

Back to Top