PT-2007-1156 · Jquery+6 · Jquery+6

Published

2007-04-10

·

Updated

2026-03-01

·

CVE-2015-9251

CVSS v2.0

6.4

Medium

VectorAV:N/AC:L/Au:N/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions: jquery versions prior to 3.0.0
Description: The issue is related to the lack of protection for the structure of web pages, allowing a remote attacker to perform cross-site scripting using cross-domain ajax requests. When a cross-domain Ajax request is performed without the dataType option, it causes text/javascript responses to be executed. The jQuery.globalEval function automatically executes the contents of text/javascript responses from cross-origin ajax requests, even when the ajax request doesn't contain the dataType option.
Recommendations: Update to version 3.0.0 or later. As a temporary workaround, consider setting the dataType option for all cross-domain Ajax requests to prevent automatic execution of text/javascript responses. Restrict access to the jQuery.globalEval function to minimize the risk of exploitation. Avoid using cross-domain ajax requests without the dataType option until the issue is resolved.

Exploit

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2020:4670
ALSA-2021_2587
ALSA-2021_2588
ALSA-2025_1210
ALSA-2025_1215
ALSA-2025_1300
ALSA-2025_1301
ALSA-2025_1306
ALSA-2025_1309
ALSA-2025_1314
ALSA-2025_1329
ALSA-2025_1338
ALSA-2025_1346
ALSA-2025_16880
AZL-41228
AZL-45099
BDU:2023-07675
CESA-2020_3936
CESA-2020_4670
CESA-2020_4847
CVE-2015-9251
ELSA-2020-3936
ELSA-2020-4670
ELSA-2020-4847
GHSA-RMXG-73GG-4P98
OPENSUSE-SU-2020:0395-1
OPENSUSE-SU-2020_0395-1
RHSA-2020:3936
RHSA-2020:4670
RHSA-2020:4847
RHSA-2020_3936
RHSA-2020_4670
RHSA-2020_4847
RHSA-2023:0552
RHSA-2023:0553
RHSA-2023:0554
RLSA-2020:4670
RLSA-2020:4847
RLSA-2020_4670
RLSA-2020_4847
SUSE-SU-2020:0737-1
SUSE-SU-2020_0737-1

Affected Products

Almalinux
Centos
Oracle Weblogic Server
Red Hat
Rocky Linux
Suse
Jquery