JQuery Version 1.2 Identified by Internal Pen Testing and requires remediation CVE-2020-11022
search cancel

JQuery Version 1.2 Identified by Internal Pen Testing and requires remediation CVE-2020-11022

book

Article ID: 225722

calendar_today

Updated On: 11-05-2024

Products

CA Identity Suite

Issue/Introduction

CVE-2020-11022

Problem: The remote web server is affected by multiple cross site scripting vulnerability.

Internal Pen testing found Older versions of JQuery being used that has multiple cross site scripting vulnerability.

Recommendation: is to Upgrade to JQuery version 3.5.0 or later.

 

Environment

Release : 14.3

Component :

14.3 CP2

Identity Suite Version 14.3

Cause

Older version of JQuery

Resolution

Identity Portal has required defense mechanism implemented to handle Cross Site Scripting attacks when a cross-domain Ajax request is performed, also it's frontend API doesn't allow to extend the native Object.prototype source object as well as doesn't allow to execute jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) to carry out the execution of untrusted code. Identity Portal is not vulnerable for the vulnerability issues mentioned as part of CVE-2015-9251, CVE-2019-11358 and CVE-2020-11022 due to the lower version of AngularJS and JQuery.
   
If there's any XSS attack or Object.prototype source object pollution is noticed then please share the specific use case details and we would handle that on an urgent basis. 

-----

14.3 CP2 used an older version of Jquery.  The Vulnerability is not exploitable in 14.3 CP2.  It was not being fixed in 14.3 due to major code changes being needed. The JQuery versions were upgraded in 14.4.  This will not be fixed in 14.3 or its CPs.  Please upgrade to the latest release of IGA.