Bug 1399546 – CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1399546 - (CVE-2015-9251) CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests

Summary:	CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests

Status:	CLOSED WONTFIX

Aliases:	CVE-2015-9251

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150627,repor...
Keywords:	Security

Duplicates:	1591857 (view as bug list)
Depends On:	1399551 1399552 1399547 1399548 1399549 1399550 1399553 1399554 1399556 1447007 1447008 1447011
Blocks:	CVE-2017-16012 1399561
	Show dependency tree / graph

Reported:	2016-11-29 04:53 EST by Andrej Nemec
Modified:	2018-07-04 19:33 EDT (History)
CC List:	48 users (show)

See Also:
Fixed In Version:	jquery 3.0.0
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-30 21:53:33 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-11-29 04:53:29 EST

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Upstream bug:

https://github.com/jquery/jquery/issues/2432

Upstream patch:

https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614

Comment 1 Andrej Nemec 2016-11-29 04:56:13 EST

Created python-tw2-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1399551]
Affects: epel-all [bug 1399552]

Comment 2 Andrej Nemec 2016-11-29 04:56:38 EST

Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1399549]
Affects: epel-7 [bug 1399550]

Comment 3 Andrej Nemec 2016-11-29 04:56:56 EST

Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1399547]
Affects: epel-7 [bug 1399548]

Comment 4 Andrej Nemec 2016-11-29 04:57:17 EST

Created python-XStatic-jQuery tracking bugs for this issue:

Affects: fedora-all [bug 1399553]
Affects: epel-7 [bug 1399554]

Comment 5 Andrej Nemec 2016-11-29 04:57:36 EST

Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1399556]

Comment 11 Tim Suter 2017-05-02 02:43:09 EDT

wontfixing openstack p2 products

Comment 12 James Hebden 2018-07-04 19:33:21 EDT

*** Bug 1591857 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aortega
apevec
ayoung
bkearney
cbillett
chrisw
cvsbot-xmlrpc
dmcphers
hhorak
jamielinux
jialiu
jjoyce
jmatthew
jokerman
jorton
jschluet
katello-bugs
kbasil
kseifried
lhh
lmeyer
lpeer
markmc
mburns
mmccomas
mmccune
mrunge
ohadlevy
psampaio
rbean
rbryant
rdopiera
rhos-maint
ruby-maint
satellite6-bugs
sclewis
slinaber
srevivo
strzibny
tchollingsworth
tdecacqu
tiwillia
tjay
tlestach
tomckay
tsanders
vondruch