CVE-2015-9251: XSS

Q: What is the severity of CVE-2015-9251?

CVE-2015-9251 is categorized as a moderate severity vulnerability due to its potential to execute malicious scripts through cross-origin requests.

Q: How do I fix CVE-2015-9251?

To remediate CVE-2015-9251, upgrade jQuery to version 3.0.0 or later.

Q: What versions of jQuery are affected by CVE-2015-9251?

CVE-2015-9251 affects jQuery versions prior to 3.0.0, including all versions from 1.12.3 and below.

Q: What are the potential impacts of CVE-2015-9251?

Exploitation of CVE-2015-9251 may allow malicious scripts to be executed in the context of the user's browser, potentially leading to data theft.

Q: Is there any specific software that is affected by CVE-2015-9251?

Various software products, including IBM RTC and Oracle applications, utilize affected versions of jQuery and may be impacted by CVE-2015-9251.

Published Nov 29, 2016

Updated

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Recommendation

Update to version 3.0.0 or later.

Other sources

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

— MITRE

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Upstream bug:

https://github.com/jquery/jquery/issues/2432

Upstream patch:

https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614

— Red Hat

jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

— IBM

Affected Software

90 affected componentsFixes available

maven/org.webjars.npm:jquery>=1.12.3<3.0.0

3.0.0

maven/org.webjars.npm:jquery<1.12.2

1.12.2

rubygems/jquery-rails<4.2.0

4.2.0

npm/jquery>=1.12.3<3.0.0

3.0.0

npm/jquery<1.12.2

1.12.2

nuget/jQuery>=1.12.3<3.0.0

3.0.0

nuget/jQuery<1.12.2

1.12.2

redhat/jquery<3.0.0

3.0.0

IBM ApplinX<=11.1

jQuery JQuery<3.0.0

Oracle Agile Product Lifecycle Management for Process=6.2.0.0

Oracle Agile Product Lifecycle Management for Process=6.2.1.0

Oracle Agile Product Lifecycle Management for Process=6.2.2.0

Oracle Agile Product Lifecycle Management for Process=6.2.3.0

Oracle Agile Product Lifecycle Management for Process=6.2.3.1

Oracle Banking Platform=2.6.0

Oracle Banking Platform=2.6.1

Oracle Banking Platform=2.6.2

Oracle Business Process Management Suite=11.1.1.9.0

Oracle Business Process Management Suite=12.1.3.0.0

Oracle Business Process Management Suite=12.2.1.3.0

Oracle Communications Converged Application Server<7.0.0.1

Oracle Communications Interactive Session Recorder=6.0

Oracle Communications Interactive Session Recorder=6.1

Oracle Communications Interactive Session Recorder=6.2

Oracle Communications Services Gatekeeper<6.1.0.4.0

Oracle Communications WebRTC Session Controller<7.2

Oracle Endeca Information Discovery Studio=3.1.0

Oracle Endeca Information Discovery Studio=3.2.0

Oracle Enterprise Manager Ops Center=12.2.2

Oracle Enterprise Manager Ops Center=12.3.3

Oracle Enterprise Operations Monitor=3.4

Oracle Enterprise Operations Monitor=4.0

Oracle Financial Services Analytical Applications Infrastructure>=7.3.3<=7.3.5

Oracle Financial Services Analytical Applications Infrastructure>=8.0.0<=8.0.7

Oracle Financial Services Asset Liability Management>=8.0.4<=8.0.7

Oracle Financial Services Data Integration Hub>=8.0.5<=8.0.7

Oracle Financial Services Funds Transfer Pricing>=8.0.4<=8.0.7

Oracle Financial Services Hedge Management and IFRS Valuations>=8.0.4<=8.0.7

Oracle Financial Services Liquidity Risk Management>=8.0.2<=8.0.6

Oracle Financial Services Loan Loss Forecasting and Provisioning>=8.0.2<=8.0.7

Oracle Financial Services Market Risk Measurement and Management=8.0.5

Oracle Financial Services Market Risk Measurement and Management=8.0.6

Oracle Financial Services Profitability Management>=8.0.4<=8.0.6

Oracle Financial Services Reconciliation Framework=8.0.5

Oracle Financial Services Reconciliation Framework=8.0.6

Oracle Fusion Middleware MapViewer=12.2.1.3.0

Oracle Healthcare Foundation=7.1

Oracle Healthcare Foundation=7.2

Oracle Healthcare Translational Research=3.1.0

Oracle Hospitality Cruise Fleet Management=9.0.11

Oracle Hospitality Guest Access=4.2.0

Oracle Hospitality Guest Access=4.2.1

Oracle Hospitality Materials Control=18.1

Oracle Hospitality Reporting and Analytics=9.1.0

Oracle Insurance Insbridge Rating And Underwriting=5.2

Oracle Insurance Insbridge Rating And Underwriting=5.4

Oracle Insurance Insbridge Rating And Underwriting=5.5

Oracle JD Edwards EnterpriseOne Tools=9.2

Oracle JDeveloper=11.1.1.9.0

Oracle JDeveloper=12.1.3.0.0

Oracle JDeveloper=12.2.1.3.0

Oracle OSS Support Tools=19.1

Oracle PeopleSoft Enterprise PeopleTools=8.55

Oracle PeopleSoft Enterprise PeopleTools=8.56

Oracle PeopleSoft Enterprise PeopleTools=8.57

Oracle Primavera Gateway=15.2

Oracle Primavera Gateway=16.2

Oracle Primavera Gateway=17.12

Oracle Primavera Unifier>=17.1<=17.12

Oracle Primavera Unifier=16.1

Oracle Primavera Unifier=16.2

Oracle Primavera Unifier=18.8

Oracle Real-Time Scheduler=2.3.0

Oracle Retail Allocation=15.0.2

Oracle Retail Customer Insights=15.0

Oracle Retail Customer Insights=16.0

Oracle Retail Invoice Matching=15.0

Oracle Retail Sales Audit=15.0

Oracle Retail Workforce Management Software=1.60.9

Oracle Retail Workforce Management Software=1.64.0

Oracle Service Bus=12.1.3.0.0

Oracle Service Bus=12.2.1.3.0

Oracle Siebel UI Framework=18.10

Oracle Siebel UI Framework=18.11

Oracle Utilities Framework>=4.3.0.1<=4.3.0.4

Oracle Utilities Mobile Workforce Management=2.3.0

Oracle WebCenter Sites=11.1.1.8.0

Oracle WebLogic Server=12.1.3.0

Oracle WebLogic Server=12.2.1.3

Remediation

Event History

Nov 29, 2016

Data Sourced

via Red Hat·09:53 AM

DescriptionSeverityAffected Software

Jan 18, 2018

CVE Published

via MITRE·11:00 PM

Data Sourced

via MITRE·11:00 PM

Description

Jan 22, 2018

Advisory Published

01:32 PM

Parent advisories

This vulnerability appears in the following advisories.

IBM-7182522

Frequently Asked Questions

What is the severity of CVE-2015-9251?

CVE-2015-9251 is categorized as a moderate severity vulnerability due to its potential to execute malicious scripts through cross-origin requests.

How do I fix CVE-2015-9251?

To remediate CVE-2015-9251, upgrade jQuery to version 3.0.0 or later.

What versions of jQuery are affected by CVE-2015-9251?

CVE-2015-9251 affects jQuery versions prior to 3.0.0, including all versions from 1.12.3 and below.

What are the potential impacts of CVE-2015-9251?

Exploitation of CVE-2015-9251 may allow malicious scripts to be executed in the context of the user's browser, potentially leading to data theft.

Is there any specific software that is affected by CVE-2015-9251?

Various software products, including IBM RTC and Oracle applications, utilize affected versions of jQuery and may be impacted by CVE-2015-9251.

CVE-2015-9251: XSS

Other sources

Affected Software

Remediation

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2015-9251?

How do I fix CVE-2015-9251?

What versions of jQuery are affected by CVE-2015-9251?

What are the potential impacts of CVE-2015-9251?

Is there any specific software that is affected by CVE-2015-9251?

Company

Resources

Contact