CVE-2020-11022
Problem: The remote web server is affected by multiple cross site scripting vulnerability.
Internal Pen testing found Older versions of JQuery being used that has multiple cross site scripting vulnerability.
Recommendation: is to Upgrade to JQuery version 3.5.0 or later.
Release : 14.3
Component :
14.3 CP2
Identity Suite Version 14.3
Older version of JQuery
Identity Portal has required defense mechanism implemented to handle Cross Site Scripting attacks when a cross-domain Ajax request is performed, also it's frontend API doesn't allow to extend the native Object.prototype source object as well as doesn't allow to execute jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) to carry out the execution of untrusted code. Identity Portal is not vulnerable for the vulnerability issues mentioned as part of CVE-2015-9251, CVE-2019-11358 and CVE-2020-11022 due to the lower version of AngularJS and JQuery.
If there's any XSS attack or Object.prototype source object pollution is noticed then please share the specific use case details and we would handle that on an urgent basis.
-----
14.3 CP2 used an older version of Jquery. The Vulnerability is not exploitable in 14.3 CP2. It was not being fixed in 14.3 due to major code changes being needed. The JQuery versions were upgraded in 14.4. This will not be fixed in 14.3 or its CPs. Please upgrade to the latest release of IGA.