Vulnerabilities in jQuery library before version 3.5.0 

Issue date: 08-12-2020
Affects versions: 14.3, 13.4, 12.6

Security Issue ID

SECURITY-163

 

Affected Product Version(s)

13.4.6, 12.6.13, 14.3.3 (and previous patch releases)

Severity 

low

Description

Versions of `jquery` prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute arbitrary JavaScript in a victim's browser.

The brXM usage of jquery is limited to UI elements within the content authoring application that is only accessible to authorized users with permission to manipulate content elements. Therefore, we evaluate the risk of this vulnerability to be low.

brXM 13.4.7, 14.4.0, and above no longer make use of vulnerable versions of jquery.

brXM 12.6.x continues to use a vulnerable version of jquery. Because upgrading to a more recent version of jquery would require a major compatibility-breaking change, we have decided not to upgrade this in brXM 12.6.x versions. For customers that are unusually sensitive to vulnerabilities related to malicious behavior by authorized users, Bloomreach recommends upgrading to the latest version of brXM 13 or 14.

See NPM-1518.

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.