Page 2 of 10 results (0.016 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. jQuery en versiones anteriores a la 1.9.0 es vulnerable a ataques de Cross-Site Scripting (XSS). La función jQuery(strInput) no diferencia selectores de HTML de forma fiable. • https://www.exploit-db.com/exploits/49708 http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/161972/Linksys-EA7500-2.0.8.194281-Cross-Site-Scripting.html http://www.securityfocus.com/bid/102792 https://bugs.jquery.com/ticket/11290 https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d https://help.ecostruxureit.com/display/public/UADCE725/Sec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de denegación de servicio (DoS) debido a la eliminación de lógica que ponía en minúscula nombres de atributos. Cualquier getter de atributo que emplea un nombre con caracteres en mayúscula y minúscula para atributos boleanos entra en una recursión infinita, sobrepasando el límite de llamadas a la pila. • https://github.com/jquery/jquery/issues/3133 https://github.com/jquery/jquery/pull/3134 https://snyk.io/vuln/npm:jquery:20160529 • CWE-674: Uncontrolled Recursion •

CVSS: 6.1EPSS: 0%CPEs: 81EXPL: 1

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. • https://github.com/halkichi0308/CVE-2015-9251 http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. jQuery 1.4.2 permite que atacantes remotos lleven a cabo ataques de Cross-Site Scripting (XSS) mediante vectores relacionados con el uso del método text en la función after. • http://seclists.org/fulldisclosure/2014/Sep/10 https://bugzilla.redhat.com/show_bug.cgi?id=1136683 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en jQuery antes de v1.6.3, cuando se seleccionan elementos location.hash, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de una etiqueta hecha a mano. • http://blog.jquery.com/2011/09/01/jquery-1-6-3-released http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 http://www.openwall.com/lists/oss-security/2013/01/31/3 http://www.osvdb.org/80056 http://www.securityfocus.com/bid/58458 http://www.securitytracker.com/id/1036620 http://www.ubuntu.com/usn/USN-1722-1 https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9 https://h20566.www2.hpe.com/portal&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •