Identity Manager (IM) Justification: As part of IM and NIM integration, IM doesn't allow users to perform cross-domain Ajax requests. Hence, this vulnerability is not exploitable through IM.
Vulnerability Details: XSS vulnerability is possible in jQuery before 1.6.3, when using location.hash to select elements, that allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
• IG uses Wicket framework and Wicket framework in turn uses wicket integration with JQuery (WIQuery) library. Wicket framework references the mentioned jquery version. • IG application doesn’t use location.hash to select page elements, hence IG application is not exploitable with this vulnerability.
Summary: Since none of these vulnerabilities are exploitable, CA has no immediate plans to upgrade these libraries as the IMAG applications do not use them directly but rather 3rd party libraries reference them.