CVE-2015-9251 jQuery XSS 影响评估 安全风险评估
CVE-2015-9251 jQuery XSS 安全风险评估
简要说明
特定条件下可忽略。
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
jQuery 1.x 和 2.x 项目生命周期基本结束,已经不再进行补丁更新。
Are jQuery 1.x and 2.x officially end of life? #162
https://github.com/jquery/jquery.com/issues/162
参考资料
CVE-2015-9251 Detail
https://nvd.nist.gov/vuln/detail/CVE-2015-9251#vulnCurrentDescriptionTitle
Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
https://acmccs.github.io/papers/p1709-lekiesA.pdf
Leave a Reply