Local security scan shows the following CVEs

• CVE-2021-41182: XSS in the `altField` option of the Datepicker widget
• CVE-2021-41183: XSS Vulnerability on text options of jQuery UI datepicker
• CVE-2021-41184: XSS in the `of` option of the `.position()` util
• CVE-2022-31160: XSS when refreshing a checkboxradio with an HTML-like initial text label

Identity Suite 14.4

JQueryUI version 1.12.1

The scan results are caused by JQueryUI version 1.12.1. IGA version 14.4 and 14.5 currently use this JQueryUI version.  L2 has confirmed the backend code.  IGA is not vulnerable to the CVEs with JQueryUI version 1.12.1.  IGA does not use the vulnerable functions and they are not accessible to be exploited.

JQueryUI version 1.13.2 is under review for version 14.5.1.  14.5.1 has a tentative release time of late-April 2024 as the release date is dependent on our testing. If JQueryUI version 1.13.2 is unable to be added to 14.5.1 it will be reviewed again for 14.5.2 in fall 2024.

The current JQueryUI version used, 1.12.1 has been confirmed not vulnerable in our current 14.4 and 14.5 releases.  The vulnerable functions are not used and not exploitable.