CVE-2015-9251¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 4.5.0
WSO2 JUSTIFICATION¶
jQuery is included only in Swagger UI–related static frontend assets bundled with OpenAPI Generator. These assets are not used, served, or executed by WSO2 API Manager at runtime. API-M uses OpenAPI Generator only for Java-based backend processing (e.g., client SDK generation) and does not execute any JavaScript code. Therefore, the reported jQuery vulnerabilities are not reachable or exploitable in the API-M runtime and do not pose a security risk.