Vulnerabilities reported in bundled jQuery library - Bloomreach Experience - Open Source CMS

Vulnerabilities reported in bundled jQuery library 

Issue date: 17-01-2020
Affects versions: 13.4, 13.3, 12.5

Issue ID

SECURITY-128

 

Affected Product Version(s)

12.6.7 (and previous patch releases)

The jQuery library is no longer bundled with Bloomreach Experience Manager as of v13.x, so these versions are not affected.


Severity 

Medium


Description

Static scanning has reported the following known vulnerabilities in the version of the jQuery library bundled with Bloomreach Experience Manager: CVE-2016-7103, CVE-2010-5312, CVE-2012-6662. These JS artifacts were not used by the product anymore, and were, by default, not loaded into the user's browser. In unlikely circumstances, a customer project could have loaded them into the browser and used them in custom CMS UI. The jQuery artifacts have been removed from the product code in Bloomreach Experience Manager v12.6.8.

 

Instructions

In the unlikely case where a CMS UI customization loaded and made use of the packaged vulnerable jQuery artifacts, loading these artifacts will fail after updating the project to Bloomreach Experience Manager v12.6.8. Customers should package a more recent version of jQuery in their project and adjust their custom code where necessary to interoperate well with that version of jQuery.