Symantec Messaging Gateway Not Vulnerable to CVE-2021-41184 (jQuery-UI)
Article ID: 404314
Updated On:
Products
Issue/Introduction
Customers have reported detection of CVE-2021-41184 in security scans of Symantec Messaging Gateway (SMG) 10.7.5-4, citing the use of jQuery-UI version 1.12.1. This CVE pertains to a cross-site scripting (XSS) vulnerability in the jQuery-UI accordion widget.
Environment
-
Product: Symantec Messaging Gateway
-
Affected Versions: SMG 10.7.x and earlier
-
Component: jQuery-UI 1.12.1
- CVE Reference: CVE-2021-41184
Resolution
Symantec Messaging Gateway is not vulnerable to CVE-2021-41184.
Although jQuery-UI 1.12.1 is present in SMG 10.7.5-4, the specific widget functionality associated with this vulnerability (accordion widget with malicious HTML injection) is not utilized or exposed in the SMG Control Center interface. As such, this is a false positive detection by automated security scanners.
However, to eliminate any residual risk and to address potential future scan triggers, this jQuery false positive has been resolved in SMG version 10.8.1 and later, which includes updates to frontend components and security libraries.
Additional Information
No immediate action is required if you are using SMG 10.7.5-4 and have administrative access controls in place.
Recommended:
Upgrade to SMG 10.8.1 or later to avoid future scan false positives and ensure the most recent library updates and security fixes are applied. This release includes an updated and secure version of jQuery UI 1.13.2.
Feedback
