Cross-Site Scripting Vulnerability in jQuery Affecting Multiple Web Applications
CVE-2015-9251

6.1MEDIUM

Key Information:

Vendor
Jquery
Status
Jquery
Vendor
CVE Published:
18 January 2018

Badges

👾 Exploit Exists🟡 Public PoC

Summary

This vulnerability in jQuery versions prior to 3.0.0 exposes applications to Cross-site Scripting (XSS) attacks. When a cross-domain Ajax request is executed without explicitly defining the dataType option, attackers can deliver responses with text/javascript content, leading to the execution of malicious scripts. This security flaw can compromise user data and allow for unauthorized actions on behalf of users, making it crucial for web developers to upgrade to the latest version of jQuery to mitigate these risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2015-9251
Created by halkichi0308

CVE-2015-9251
Created by moften

CVE-2015-9251
Created by hackgiver

References

http://www.securityfocus.com/bid/105658
vdb-entryx_refsource_BID
https://seclists.org/bugtraq/2019/May/18
mailing-listx_refsource_BUGTRAQ
http://seclists.org/fulldisclosure/2019/May/11
mailing-listx_refsource_FULLDISC

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.