JQuery Version 1.2 Identified by Internal Pen Testing and requires remediation
search cancel

JQuery Version 1.2 Identified by Internal Pen Testing and requires remediation


Article ID: 227792


Updated On:


CA Identity Suite



Problem: The remote web server is affected by multiple cross site scripting vulnerability.

Internal Pen testing found Older versions of JQuery being used that has multiple cross site scripting vulnerability.

Recommendation: is to Upgrade to JQuery version 3.5.0 or later.



Release : 14.3 CP2

Component : Virtual Appliance


Identity Portal has required defense mechanism implemented to handle Cross Site Scripting attacks when a cross-domain Ajax request is performed, also it's frontend API doesn't allow to extend the native Object.prototype source object as well as doesn't allow to execute jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) to carry out the execution of untrusted code. Identity Portal is not vulnerable for the vulnerability issues mentioned as part of CVE-2015-9251, CVE-2019-11358 and CVE-2020-11022 due to the lower version of AngularJS and JQuery.
If there's any XSS attack or Object.prototype source object pollution is noticed then please share the specific use case details and we would handle that on an urgent basis. 


14.3 CP2 does use an older version of Jquery.  The Vulnerability is not exploitable in 14.3 CP2.  It is not being fixed in 14.3 due to major code changes being needed. The vast majority of the JQuery versions were upgraded in 14.4 with all the new code changes.  This will not be fixed in 14.3 or its CPs.  You will need to upgrade to 14.4 where code changes for this has been made and this continues to not be exploitable. We already have more robust implementation of the same function already with keen filtering of all the HTML tags where there is no scope to execute malicious scripts as part of the response:

Customer's ask:
jQuery.htmlPrefilter = function( html ) {
         return html;
Our existing implementation:
jQuery.extend( {
                      htmlPrefilter: function( html ) {
                      return html.replace( rxhtmlTag, "<$1></$2>" );
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,