search cancel

Autosys/WCC/EEM jQuery XSS Vulnerability

book

Article ID: 190608

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Workload Automation AE

Issue/Introduction

We received a notification from our security team about a jQuery XSS vulnerability. 

Can you tell us if Autosys/WCC/EEM are impacted by this? 

If so, we will need to address this issue.  

"A high priority Cross-Site Scripting vulnerability was recently addressed in the newly released jQuery 3.5.0:

 

"...jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter ensured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability."

Environment

Release : 11.3.6

Component : WORKLOAD CONTROL CENTER

Resolution

For WCC the issue is addressed in r12.
For AE (AutoSys) and EEM (Embedded Entitlements Manager) they do not use jquery so there is no impact.