Customers have reported detection of CVE-2021-41184 in security scans of Symantec Messaging Gateway (SMG) 10.7.5-4, citing the use of jQuery-UI version 1.12.1. This CVE pertains to a cross-site scripting (XSS) vulnerability in the jQuery-UI accordion
widget.
Product: Symantec Messaging Gateway
Affected Versions: SMG 10.7.x and earlier
Component: jQuery-UI 1.12.1
Symantec Messaging Gateway is not vulnerable to CVE-2021-41184.
Although jQuery-UI 1.12.1 is present in SMG 10.7.5-4, the specific widget functionality associated with this vulnerability (accordion widget with malicious HTML injection) is not utilized or exposed in the SMG Control Center interface. As such, this is a false positive detection by automated security scanners.
However, to eliminate any residual risk and to address potential future scan triggers, this jQuery false positive has been resolved in SMG version 10.8.1 and later, which includes updates to frontend components and security libraries.
No immediate action is required if you are using SMG 10.7.5-4 and have administrative access controls in place.
Recommended:
Upgrade to SMG 10.8.1 or later to avoid future scan false positives and ensure the most recent library updates and security fixes are applied. This release includes an updated and secure version of jQuery UI 1.13.2.