CVSS: 9.8EPSS: 92%CPEs: 1EXPL: 13CVE-2018-9206 – Tajer <= 1.0.5 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2018-9206
11 Oct 2018 — Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0 Vulnerabilidad de subida de archivos arbitrarios sin autenticar en Blueimp jQuery-File-Upload en versiones iguales o anteriores a la v9.22.0. The Tajer for WordPress is vulnerable to arbitrary file uploads due to inclusion of a vulnerable version of the Blueimp jQuery-File-Upload library in versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the aff... • https://packetstorm.news/files/id/151206 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16045
https://notcve.org/view.php?id=CVE-2017-16045
04 Jun 2018 — `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. "jquery.js" era un módulo malicioso publicado para secuestrar variables de entorno. Ha sido retirado por npm. • https://nodesecurity.io/advisories/496 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-506: Embedded Malicious Code •
CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 0CVE-2018-1325
https://notcve.org/view.php?id=CVE-2018-1325
18 Apr 2018 — In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. En Apache wicket-jquery-ui, en versiones iguales o anteriores a la 6.29.0, 7.10.1 o 8.0.0-M9.1, el código creado en el editor WYSIWYG se ejecutará en pantalla. • https://markmail.org/message/6bxjyaolehhq7jrl • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 32EXPL: 0CVE-2017-15719
https://notcve.org/view.php?id=CVE-2017-15719
12 Mar 2018 — In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor. En Wicket jQuery UI, en versiones 6.28.0 y anteriores, 7.9.1 y anteriores y 8.0.0-M8 y anteriores, se ha descubierto un problema de seguridad en el editor WYSIWYG que permite que un atacante envíe código JS arbitrario a ese editor. • http://openmeetings.apache.org/security.html#_toc_cve-2017-15719_-_wicket_jquery_ui_xss_in_wysiwyg_e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 8%CPEs: 81EXPL: 3CVE-2015-9251 – jquery: Cross-site scripting via cross-domain ajax requests
https://notcve.org/view.php?id=CVE-2015-9251
18 Jan 2018 — jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applic... • https://github.com/halkichi0308/CVE-2015-9251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2016-10707
https://notcve.org/view.php?id=CVE-2016-10707
18 Jan 2018 — jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de denegación de servicio (DoS) debido a la eliminación de lógica que ponía en minúscula nombres de atributos. Cualquier getter de atributo que emplea un nombre con caracteres en mayúscula y minús... • https://github.com/jquery/jquery/issues/3133 • CWE-674: Uncontrolled Recursion •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2012-6708 – Linksys EA7500 2.0.8.194281 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6708
18 Jan 2018 — jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability onl... • https://packetstorm.news/files/id/161972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2014-6071
https://notcve.org/view.php?id=CVE-2014-6071
16 Jan 2018 — jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. jQuery 1.4.2 permite que atacantes remotos lleven a cabo ataques de Cross-Site Scripting (XSS) mediante vectores relacionados con el uso del método text en la función after. • http://seclists.org/fulldisclosure/2014/Sep/10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 73EXPL: 0CVE-2015-7943
https://notcve.org/view.php?id=CVE-2015-7943
18 Oct 2017 — Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3233. Vulnerabilidad de redirección abierta en el módulo Overlay en Drupal 7.x anterior a 7.41, el módulo jQuery Update 7.x-2.x anterior a... • http://www.debian.org/security/2017/dsa-3897 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2015-2089 – CrossSlide jQuery Plugin <= 2.0.5 - Multiple Cross-Site Request Forgery to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-2089
09 Feb 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) csj_width, (3) csj_height, (4) csj_sleep, (5) csj_fade, or (6) upload_image parameter in the thisismyurl_csj.php page to wp-admin/options-general.php. Múltiples vulnerabilidades de CSRF e... • http://packetstormsecurity.com/files/130313/WordPress-Cross-Slide-2.0.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html • CWE-352: Cross-Site Request Forgery (CSRF) •