CVE-2017-15719
https://notcve.org/view.php?id=CVE-2017-15719
In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor. En Wicket jQuery UI, en versiones 6.28.0 y anteriores, 7.9.1 y anteriores y 8.0.0-M8 y anteriores, se ha descubierto un problema de seguridad en el editor WYSIWYG que permite que un atacante envíe código JS arbitrario a ese editor. • http://openmeetings.apache.org/security.html#_toc_cve-2017-15719_-_wicket_jquery_ui_xss_in_wysiwyg_e https://github.com/sebfz1/wicket-jquery-ui/wiki#cve-2017-15719---xss-in-wysiwyg-editor • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-6708 – Linksys EA7500 2.0.8.194281 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6708
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. jQuery en versiones anteriores a la 1.9.0 es vulnerable a ataques de Cross-Site Scripting (XSS). La función jQuery(strInput) no diferencia selectores de HTML de forma fiable. • https://www.exploit-db.com/exploits/49708 http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/161972/Linksys-EA7500-2.0.8.194281-Cross-Site-Scripting.html http://www.securityfocus.com/bid/102792 https://bugs.jquery.com/ticket/11290 https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d https://help.ecostruxureit.com/display/public/UADCE725/Sec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10707
https://notcve.org/view.php?id=CVE-2016-10707
jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de denegación de servicio (DoS) debido a la eliminación de lógica que ponía en minúscula nombres de atributos. Cualquier getter de atributo que emplea un nombre con caracteres en mayúscula y minúscula para atributos boleanos entra en una recursión infinita, sobrepasando el límite de llamadas a la pila. • https://github.com/jquery/jquery/issues/3133 https://github.com/jquery/jquery/pull/3134 https://snyk.io/vuln/npm:jquery:20160529 • CWE-674: Uncontrolled Recursion •
CVE-2015-9251 – jquery: Cross-site scripting via cross-domain ajax requests
https://notcve.org/view.php?id=CVE-2015-9251
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. • https://github.com/halkichi0308/CVE-2015-9251 http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-6071
https://notcve.org/view.php?id=CVE-2014-6071
jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. jQuery 1.4.2 permite que atacantes remotos lleven a cabo ataques de Cross-Site Scripting (XSS) mediante vectores relacionados con el uso del método text en la función after. • http://seclists.org/fulldisclosure/2014/Sep/10 https://bugzilla.redhat.com/show_bug.cgi?id=1136683 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •