High severityNVD Advisory· Published Sep 11, 2015· Updated May 6, 2026
CVE-2015-6584
CVE-2015-6584
Description
Cross-site scripting (XSS) vulnerability in the DataTables plugin 1.10.8 and earlier for jQuery allows remote attackers to inject arbitrary web script or HTML via the scripts parameter to media/unit_testing/templates/6776.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
datatablesnpm | < 1.10.10 | 1.10.10 |
datatables/datatablesPackagist | < 1.10.10 | 1.10.10 |
Affected products
1Patches
1ccf86dc5982bDev: Fix potential XSS in the unit test scripts
14 files changed · +14 −14
tests/templates/2512.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/6776.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/complex_header_2.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/-complex_header.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/deferred_table.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/dom_data.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/dom_data_th.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/dom_data_two_headers.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/dymanic_table.php+1 −1 modified@@ -27,7 +27,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/empty_table.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/html_table.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/js_data_mixed_types.php+1 −1 modified@@ -84,7 +84,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/js_data.php+1 −1 modified@@ -84,7 +84,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
tests/templates/two_tables.php+1 −1 modified@@ -22,7 +22,7 @@ $aScripts = explode( ":", $_GET['scripts'] ); for ( $i=0 ; $i<count($aScripts) ; $i++ ) { - echo '<script type="text/javascript" language="javascript" src="../'.$aScripts[$i].'?rand='.rand().'"></script>'."\n"; + echo '<script type="text/javascript" language="javascript" src="../'.htmlentities($aScripts[$i]).'?rand='.rand().'"></script>'."\n"; } ?> </head>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- www.netsparker.com/cve-2015-6384-xss-vulnerability-identified-in-datatables/nvdExploit
- github.com/advisories/GHSA-4mv4-gmmf-q382ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6584ghsaADVISORY
- packetstormsecurity.com/files/133555/DataTables-1.10.8-Cross-Site-Scripting.htmlnvdWEB
- seclists.org/fulldisclosure/2015/Sep/37nvdWEB
- www.securityfocus.com/archive/1/536437/100/0/threadednvdWEB
- www.securityfocus.com/archive/1/archive/1/536437/100/0/threadedghsaWEB
- github.com/DataTables/DataTables/issues/602ghsaWEB
- github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16dghsaWEB
- github.com/DataTables/DataTablesSrc/commits/1.10.10ghsaWEB
- www.netsparker.com/cve-2015-6384-xss-vulnerability-identified-in-datatablesghsaWEB
- www.npmjs.com/advisories/5ghsaWEB
News mentions
0No linked articles in our index yet.