Cross-Site Scripting (XSS) in jquery
Published: January 22, 2018
SECURITY IDENTIFIERS
- CVE: CVE-2015-9251 (NVD)
- GHSA: GHSA-rmxg-73gg-4p98
- Vendor Advisory: https://github.com/rails/jquery-rails/releases/tag/v4.2.0
GEM
FRAMEWORK
SEVERITY
PATCHED VERSIONS
>= 4.2.0
DESCRIPTION
Affected versions of jquery interpret text/javascript responses
from cross-origin ajax requests, and automatically execute the
contents in jQuery.globalEval, even when the ajax request
doesn't contain the dataType option.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2015-9251
- https://github.com/rails/jquery-rails/releases/tag/v4.2.0
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420
- https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377
- https://github.com/advisories/GHSA-rmxg-73gg-4p98