CVE-2015-9251

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Published: 2018-01-18 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2015-9251 is rated Moderate Risk (63.7/100): CVSS Medium severity, with high exploitation likelihood (EPSS 30.22%, 98th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +12.22% over the last day, indicating growing attacker interest. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2015-9251

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 18.01% 30.22% +12.22%
2 2026-05-22 25.59% 18.01% -7.59%
3 2026-05-06 25.59%

Full EPSS history (56 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-9251

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.1 3.0 MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
 2.8 2.7 [email protected]
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2015-9251

GitHub Security Advisory for CVE-2015-9251

GHSA-rmxg-73gg-4p98 · Severity: medium · Ecosystem: nuget — Cross-Site Scripting (XSS) in jquery

OS Trackers for CVE-2015-9251

vendor priority summary link
alpine medium CVE-2015-9251: 2 source package rows (rabbitmq-server, ruby); 5 state rows across 5 repos (3.10-main, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 5, open 0. https://security.alpinelinux.org/vuln/CVE-2015-9251
redhat medium https://access.redhat.com/security/cve/CVE-2015-9251
suse medium CVE-2015-9251 severity moderate: SUSE including 281 source package names (2.17-17.3:libruby2_5-2_5-2.5.7-4.8.1, 2.17-17.3:ruby2.5-2.5.7-4.8.1, …), 872 product×package rows across 206 product lines (Container bci/ruby, Container suse/rmt-server, … (206 product lines)): Fixed 713, Known Affected 157, Known Not Affected 2. https://www.suse.com/security/cve/CVE-2015-9251/
ubuntu low CVE-2015-9251 low priority: Ubuntu including 1 source packages (jquery), 9 status rows across 9 suites (artful, bionic, cosmic, disco, eoan, focal, trusty, upstream, xenial): not-affected 6, ignored 2, released 1. https://ubuntu.com/security/CVE-2015-9251

Affected software / configurations for CVE-2015-9251

Vendor Product Version Raw CPE
jquery jquery < 3.0.0 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*
oracle agile_product_lifecycle_management_for_process 6.2.0.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
oracle agile_product_lifecycle_management_for_process 6.2.1.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
oracle agile_product_lifecycle_management_for_process 6.2.2.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
oracle agile_product_lifecycle_management_for_process 6.2.3.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
oracle agile_product_lifecycle_management_for_process 6.2.3.1 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
oracle banking_platform 2.6.0 cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
oracle banking_platform 2.6.1 cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
oracle banking_platform 2.6.2 cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
oracle business_process_management_suite 11.1.1.9.0 cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
oracle business_process_management_suite 12.1.3.0.0 cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
oracle business_process_management_suite 12.2.1.3.0 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
oracle communications_converged_application_server < 7.0.0.1 cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*
oracle communications_interactive_session_recorder 6.0 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
oracle communications_interactive_session_recorder 6.1 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
oracle communications_interactive_session_recorder 6.2 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
oracle communications_services_gatekeeper < 6.1.0.4.0 cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
oracle communications_webrtc_session_controller < 7.2 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*
oracle endeca_information_discovery_studio 3.1.0 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
oracle endeca_information_discovery_studio 3.2.0 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
oracle enterprise_manager_ops_center 12.2.2 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
oracle enterprise_manager_ops_center 12.3.3 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
oracle enterprise_operations_monitor 3.4 cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
oracle enterprise_operations_monitor 4.0 cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 7.3.3, <= 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 8.0.0, <= 8.0.7 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle financial_services_asset_liability_management >= 8.0.4, <= 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:*
oracle financial_services_data_integration_hub >= 8.0.5, <= 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:*
oracle financial_services_funds_transfer_pricing >= 8.0.4, <= 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:*
oracle financial_services_hedge_management_and_ifrs_valuations >= 8.0.4, <= 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:*
oracle financial_services_liquidity_risk_management >= 8.0.2, <= 8.0.6 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:*
oracle financial_services_loan_loss_forecasting_and_provisioning >= 8.0.2, <= 8.0.7 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:*
oracle financial_services_market_risk_measurement_and_management 8.0.5 cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
oracle financial_services_market_risk_measurement_and_management 8.0.6 cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
oracle financial_services_profitability_management >= 8.0.4, <= 8.0.6 cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:*
oracle financial_services_reconciliation_framework 8.0.5 cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
oracle financial_services_reconciliation_framework 8.0.6 cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
oracle fusion_middleware_mapviewer 12.2.1.3.0 cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
oracle healthcare_foundation 7.1 cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
oracle healthcare_foundation 7.2 cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
oracle healthcare_translational_research 3.1.0 cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
oracle hospitality_cruise_fleet_management 9.0.11 cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
oracle hospitality_guest_access 4.2.0 cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
oracle hospitality_guest_access 4.2.1 cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
oracle hospitality_materials_control 18.1 cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
oracle hospitality_reporting_and_analytics 9.1.0 cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
oracle insurance_insbridge_rating_and_underwriting 5.2 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
oracle insurance_insbridge_rating_and_underwriting 5.4 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
oracle insurance_insbridge_rating_and_underwriting 5.5 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
oracle jd_edwards_enterpriseone_tools 9.2 cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
oracle jdeveloper 11.1.1.9.0 cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
oracle jdeveloper 12.1.3.0.0 cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
oracle jdeveloper 12.2.1.3.0 cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
oracle oss_support_tools 19.1 cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.55 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.56 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.57 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
oracle primavera_gateway 15.2 cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
oracle primavera_gateway 16.2 cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
oracle primavera_gateway 17.12 cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
oracle primavera_unifier >= 17.1, <= 17.12 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
oracle primavera_unifier 16.1 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
oracle primavera_unifier 16.2 cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
oracle primavera_unifier 18.8 cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
oracle real-time_scheduler 2.3.0 cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
oracle retail_allocation 15.0.2 cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
oracle retail_customer_insights 15.0 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
oracle retail_customer_insights 16.0 cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
oracle retail_invoice_matching 15.0 cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
oracle retail_sales_audit 15.0 cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
oracle retail_workforce_management_software 1.60.9 cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
oracle retail_workforce_management_software 1.64.0 cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
oracle service_bus 12.1.3.0.0 cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
oracle service_bus 12.2.1.3.0 cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
oracle siebel_ui_framework 18.10 cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
oracle siebel_ui_framework 18.11 cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
oracle utilities_framework >= 4.3.0.1, <= 4.3.0.4 cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*
oracle utilities_mobile_workforce_management 2.3.0 cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
oracle webcenter_sites 11.1.1.8.0 cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
oracle weblogic_server 12.1.3.0 cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*

References for CVE-2015-9251

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html Patch
http://www.securityfocus.com/bid/105658 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2020:0481
https://access.redhat.com/errata/RHSA-2020:0729
https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc Patch Third Party Advisory
https://github.com/jquery/jquery/issues/2432 Issue Tracking Patch Third Party Advisory
https://github.com/jquery/jquery/pull/2588 Issue Tracking Patch Third Party Advisory
https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2 Patch Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04 Third Party Advisory US Government Resource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://seclists.org/bugtraq/2019/May/18
https://security.netapp.com/advisory/ntap-20210108-0004/
https://snyk.io/vuln/npm:jquery:20150627 Patch Third Party Advisory
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-08
cvelogic Threat Intelligence