CVSS: 6.9EPSS: 2%CPEs: 206EXPL: 6CVE-2020-11022 – Potential XSS vulnerability in jQuery
https://notcve.org/view.php?id=CVE-2020-11022
29 Apr 2020 — In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. En las versiones de jQuery mayores o iguales a 1.2 y anteriores a la versión 3.5.0, se puede ejecutar HTML desde fuentes no seguras, incluso después de desinfectarlo, a uno de los métodos de manipulación DOM de jQuery (es decir .h... • https://packetstorm.news/files/id/162159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18405
https://notcve.org/view.php?id=CVE-2018-18405
22 Apr 2020 — jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry ** EN DISPUTA ** jQuery v2.2.2 permite XSS a través de un atributo de error diseñado de un elemento IMG. NOTA: se ha informado que esta vulnerabilidad es una entrada de spam. • https://gist.github.com/CyberSecurityUP/26c5b032897630fe8407da4a8ef216d4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 218EXPL: 9CVE-2019-11358 – jQuery 3.3.1 - Prototype Pollution & XSS Exploit
https://notcve.org/view.php?id=CVE-2019-11358
19 Apr 2019 — jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propi... • https://packetstorm.news/files/id/190328 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 13CVE-2018-9206 – blueimp's jQuery (Arbitrary) File Upload
https://notcve.org/view.php?id=CVE-2018-9206
11 Oct 2018 — Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0 Vulnerabilidad de subida de archivos arbitrarios sin autenticar en Blueimp jQuery-File-Upload en versiones iguales o anteriores a la v9.22.0. The Tajer for WordPress is vulnerable to arbitrary file uploads due to inclusion of a vulnerable version of the Blueimp jQuery-File-Upload library in versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the aff... • https://packetstorm.news/files/id/151206 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16045
https://notcve.org/view.php?id=CVE-2017-16045
04 Jun 2018 — `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. "jquery.js" era un módulo malicioso publicado para secuestrar variables de entorno. Ha sido retirado por npm. • https://nodesecurity.io/advisories/496 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-506: Embedded Malicious Code •
CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 0CVE-2018-1325
https://notcve.org/view.php?id=CVE-2018-1325
18 Apr 2018 — In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. En Apache wicket-jquery-ui, en versiones iguales o anteriores a la 6.29.0, 7.10.1 o 8.0.0-M9.1, el código creado en el editor WYSIWYG se ejecutará en pantalla. • https://markmail.org/message/6bxjyaolehhq7jrl • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 32EXPL: 0CVE-2017-15719
https://notcve.org/view.php?id=CVE-2017-15719
12 Mar 2018 — In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor. En Wicket jQuery UI, en versiones 6.28.0 y anteriores, 7.9.1 y anteriores y 8.0.0-M8 y anteriores, se ha descubierto un problema de seguridad en el editor WYSIWYG que permite que un atacante envíe código JS arbitrario a ese editor. • http://openmeetings.apache.org/security.html#_toc_cve-2017-15719_-_wicket_jquery_ui_xss_in_wysiwyg_e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10707
https://notcve.org/view.php?id=CVE-2016-10707
18 Jan 2018 — jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de denegación de servicio (DoS) debido a la eliminación de lógica que ponía en minúscula nombres de atributos. Cualquier getter de atributo que emplea un nombre con caracteres en mayúscula y minús... • https://github.com/jquery/jquery/issues/3133 • CWE-674: Uncontrolled Recursion •
CVSS: 6.1EPSS: 11%CPEs: 81EXPL: 4CVE-2015-9251 – jquery: Cross-site scripting via cross-domain ajax requests
https://notcve.org/view.php?id=CVE-2015-9251
18 Jan 2018 — jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applic... • https://github.com/halkichi0308/CVE-2015-9251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2012-6708 – Linksys EA7500 2.0.8.194281 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6708
18 Jan 2018 — jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability onl... • https://packetstorm.news/files/id/161972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •