Vulnerabilities reported in bundled jQuery library

Issue date: 17-01-2020
Affects versions: 13.4, 13.3, 12.5

Issue ID

SECURITY-128

Affected Product Version(s)

12.6.7 (and previous patch releases)

The jQuery library is no longer bundled with Bloomreach Experience Manager as of v13.x, so these versions are not affected.

Severity

Medium

Description

Static scanning has reported the following known vulnerabilities in the version of the jQuery library bundled with Bloomreach Experience Manager: CVE-2016-7103, CVE-2010-5312, CVE-2012-6662. These JS artifacts were not used by the product anymore, and were, by default, not loaded into the user's browser. In unlikely circumstances, a customer project could have loaded them into the browser and used them in custom CMS UI. The jQuery artifacts have been removed from the product code in Bloomreach Experience Manager v12.6.8.

Instructions

In the unlikely case where a CMS UI customization loaded and made use of the packaged vulnerable jQuery artifacts, loading these artifacts will fail after updating the project to Bloomreach Experience Manager v12.6.8. Customers should package a more recent version of jQuery in their project and adjust their custom code where necessary to interoperate well with that version of jQuery.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Vulnerabilities reported in bundled jQuery library