製品・ソフトウェアに関する情報

JVN脆弱性詳細

jQuery UI におけるクロスサイトスクリプティングの脆弱性

タイトル	jQuery UI におけるクロスサイトスクリプティングの脆弱性
概要	jQuery UI には、クロスサイトスクリプティングの脆弱性が存在します。
想定される影響	リモートの攻撃者により、dialog 関数の closeText パラメータを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2016年7月8日0:00
登録日	2017年4月6日15:14
最終更新日	2017年4月6日15:14

CVSS3.0 : 警告
スコア	6.1
ベクター	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS2.0 : 警告
スコア	4.3
ベクター	AV:N/AC:M/Au:N/C:N/I:P/A:N

影響を受けるシステム

jQuery

jQuery UI 1.12.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-7103	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
National Vulnerability Database (NVD)
2	CVE-2016-7103	https://nvd.nist.gov/vuln/detail/CVE-2016-7103

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	名前	URL
GitHub
1	Dialog: Escape closeText option before passing it to button	https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6
2	XSS Vulnerability on closeText option of Dialog jQuery UI #281	https://github.com/jquery/api.jqueryui.com/issues/281
jQuery
3	jQuery UI 1.12.0 Changelog	https://jqueryui.com/changelog/1.12.0/

変更履歴

No	変更内容	変更日
0	[2017年04月06日] 掲載	2018年2月17日10:37

NVD脆弱性情報

CVE-2016-7103

概要	Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
公表日	2017年3月16日1:59
登録日	2021年1月26日14:16
最終更新日	2024年11月21日11:57

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:jqueryui:jquery_ui::::::::		1.10.0	1.11.4

構成2	以上	以下	より上	未満
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0::::enterprise:::
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0::::enterprise:::
cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:::::::*
cpe:2.3:a:oracle:application_express::::::::				19.1
cpe:2.3:a:oracle:primavera_unifier::::::::	16.0	16.2
cpe:2.3:a:oracle:primavera_unifier::::::::	17.0	17.12.4
cpe:2.3:a:oracle:primavera_unifier::::::::	18.0	18.8.4
cpe:2.3:a:oracle:siebel_ui_framework::::::::		21.2
cpe:2.3:a:oracle:oss_support_tools::::::::				2.12.42
cpe:2.3:a:oracle:oss_support_tools:2.12.42:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:30:::::::*
cpe:2.3:o:fedoraproject:fedora:35:::::::*
cpe:2.3:o:fedoraproject:fedora:36:::::::*

構成4		以上	以下	より上	未満
cpe:2.3:a:netapp:snapcenter:-:::::::*

構成5	以上	以下	より上	未満
cpe:2.3:a:redhat:openstack:7.0:::::::*
cpe:2.3:a:redhat:openstack:9:::::::*
cpe:2.3:a:redhat:openstack:8:::::::*

構成6		以上	以下	より上	未満
cpe:2.3:o:juniper:junos:21.2:-::::::

構成7		以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:9.0:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2016-2932.html	Third Party Advisory
2	http://rhn.redhat.com/errata/RHSA-2016-2932.html	Third Party Advisory
3	http://rhn.redhat.com/errata/RHSA-2016-2933.html	Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2016-2933.html	Third Party Advisory
5	http://rhn.redhat.com/errata/RHSA-2017-0161.html	Third Party Advisory VDB Entry
6	http://rhn.redhat.com/errata/RHSA-2017-0161.html	Third Party Advisory VDB Entry
7	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
8	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
9	http://www.securityfocus.com/bid/104823	Broken Link Third Party Advisory VDB Entry
10	http://www.securityfocus.com/bid/104823	Broken Link Third Party Advisory VDB Entry
11	https://github.com/jquery/api.jqueryui.com/issues/281	Exploit Issue Tracking Patch Third Party Advisory
12	https://github.com/jquery/api.jqueryui.com/issues/281	Exploit Issue Tracking Patch Third Party Advisory
13	https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6	Patch Third Party Advisory
14	https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6	Patch Third Party Advisory
15	https://jqueryui.com/changelog/1.12.0/	Release Notes Vendor Advisory
16	https://jqueryui.com/changelog/1.12.0/	Release Notes Vendor Advisory
17	https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E	Mailing List Third Party Advisory
18	https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E	Mailing List Third Party Advisory
19	https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E	Mailing List Third Party Advisory
20	https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E	Mailing List Third Party Advisory
21	https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E	Mailing List Third Party Advisory
22	https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E	Mailing List Third Party Advisory
23	https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E	Mailing List Third Party Advisory
24	https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E	Mailing List Third Party Advisory
25	https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E	Mailing List Third Party Advisory
26	https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E	Mailing List Third Party Advisory
27	https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html	Mailing List Third Party Advisory
28	https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html	Mailing List Third Party Advisory
29	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ/	Mailing List Third Party Advisory
30	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ/	Mailing List Third Party Advisory
31	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/	Mailing List Third Party Advisory
32	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/	Mailing List Third Party Advisory
33	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/	Mailing List Third Party Advisory
34	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/	Mailing List Third Party Advisory
35	https://nodesecurity.io/advisories/127	Third Party Advisory
36	https://nodesecurity.io/advisories/127	Third Party Advisory
37	https://security.netapp.com/advisory/ntap-20190416-0007/	Third Party Advisory
38	https://security.netapp.com/advisory/ntap-20190416-0007/	Third Party Advisory
39	https://www.drupal.org/sa-core-2022-002	Third Party Advisory
40	https://www.drupal.org/sa-core-2022-002	Third Party Advisory
41	https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
42	https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
43	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
44	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
45	https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory
46	https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory
47	https://www.oracle.com/security-alerts/cpujan2022.html	Third Party Advisory
48	https://www.oracle.com/security-alerts/cpujan2022.html	Third Party Advisory
49	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
50	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
51	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
52	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
53	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory
54	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory
55	https://www.tenable.com/security/tns-2016-19	Third Party Advisory
56	https://www.tenable.com/security/tns-2016-19	Third Party Advisory

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html