Vulnerability Description
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jquery | Jquery | < 3.0.0 |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.0.0 |
| Oracle | Banking Platform | 2.6.0 |
| Oracle | Business Process Management Suite | 11.1.1.9.0 |
| Oracle | Communications Converged Application Server | < 7.0.0.1 |
| Oracle | Communications Interactive Session Recorder | 6.0 |
| Oracle | Communications Services Gatekeeper | < 6.1.0.4.0 |
| Oracle | Communications Webrtc Session Controller | < 7.2 |
| Oracle | Endeca Information Discovery Studio | 3.1.0 |
| Oracle | Enterprise Manager Ops Center | 12.2.2 |
| Oracle | Enterprise Operations Monitor | 3.4 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 7.3.3, <= 7.3.5 |
| Oracle | Financial Services Asset Liability Management | >= 8.0.4, <= 8.0.7 |
| Oracle | Financial Services Data Integration Hub | >= 8.0.5, <= 8.0.7 |
| Oracle | Financial Services Funds Transfer Pricing | >= 8.0.4, <= 8.0.7 |
| Oracle | Financial Services Hedge Management And Ifrs Valuations | >= 8.0.4, <= 8.0.7 |
| Oracle | Financial Services Liquidity Risk Management | >= 8.0.2, <= 8.0.6 |
| Oracle | Financial Services Loan Loss Forecasting And Provisioning | >= 8.0.2, <= 8.0.7 |
| Oracle | Financial Services Market Risk Measurement And Management | 8.0.5 |
| Oracle | Financial Services Profitability Management | >= 8.0.4, <= 8.0.6 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.htm
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch
- http://www.securityfocus.com/bid/105658Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2020:0481
- https://access.redhat.com/errata/RHSA-2020:0729
- https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0ccPatchThird Party Advisory
- https://github.com/jquery/jquery/issues/2432Issue TrackingPatchThird Party Advisory
- https://github.com/jquery/jquery/pull/2588Issue TrackingPatchThird Party Advisory
- https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804PatchThird Party Advisory
FAQ
What is CVE-2015-9251?
CVE-2015-9251 is a vulnerability with a CVSS score of 6.1 (MEDIUM). jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
How severe is CVE-2015-9251?
CVE-2015-9251 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-9251?
Check the references section above for vendor advisories and patch information. Affected products include: Jquery Jquery, Oracle Agile Product Lifecycle Management For Process, Oracle Banking Platform, Oracle Business Process Management Suite, Oracle Communications Converged Application Server.