Javascript Library jQuery Security Update (MINDBREEZE14915)

ID: MINDBREEZE14915 
Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 6.1 Medium 
Status: Final 
First published: 14.10.2020 
CVEs: CVE-2020-11022 

Summary

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Impact

This vulnerability may allow running cross-site scripting (XSS) attacks due to improper injQuery.htmlPrefilter method.

Remediation

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

  • Mindbreeze InSpire 20.4 Release (Version 20.4.4.435)
  • Mindbreeze InSpire SaaS 20.4 Release (Version 20.4.4.448)