Javascript Library Bootstrap and JQuery Security Update (MINDBREEZE16267)

ID: MINDBREEZE16267 
Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 6.1 Medium 
Status: Final 
First published: February 2, 2021 
CVEs: CVE-2018-14040, CVE-2018-1404, CVE-2018-14042, CVE-2019-8331, CVE-2020-11022, CVE-2020-11023, CVE-2015-9251, CVE-2019-11358, CVE-2012-6708

Summary

Bootstrap and JQuery update contains fixes for te following CVEs:

• Bootstrap: XSS is possible in the collapse data-parent attribute (CVE-2018-14040)
• Bootstrap: XSS is possible in the data-target property of scrollspy (CVE-2018-14041)
• Bootstrap: XSS is possible in the data-container property of tooltip (CVE-2018-14042)
• Bootstrap: XSS is possible in the tooltip or popover data-template attribute (CVE-2019-8331)
• jQuery: Passing HTML from untrusted sources may execute untrusted code (CVE-2020-11022)
• jQuery: Passing HTML containing <option> elements from untrusted sources may execute untrusted code. (CVE-2020-11023) 
• jQuery: When a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed ​​(CVE-2015-9251)
• JQuery: The Library mishandles jQuery.extend(true, {}, ...), it could extend the native Object.prototype (CVE-2019-11358)
• JQuery: The jQuery(strInput) function is vulnerable to Cross-site Scripting (XSS) attacks (CVE-2012-6708)

Remediation

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

• Mindbreeze InSpire 20.5 Release (Version 20.5.1.835)
• Mindbreeze InSpire SaaS 20.5 Release (Version 20.5.1.835)