CVE-2015-9251 jQuery XSS 影响评估 安全风险评估

CVE-2015-9251 jQuery XSS 安全风险评估

简要说明

特定条件下可忽略。

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

jQuery 1.x 和 2.x 项目生命周期基本结束，已经不再进行补丁更新。

Are jQuery 1.x and 2.x officially end of life? #162
https://github.com/jquery/jquery.com/issues/162

参考资料

CVE-2015-9251 Detail
https://nvd.nist.gov/vuln/detail/CVE-2015-9251#vulnCurrentDescriptionTitle

Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
https://acmccs.github.io/papers/p1709-lekiesA.pdf

• #Penetration Testing
• #渗透测试