Removed Legacy Versions of Javascript Libraries: jQuery and RequireJS (MINDBREEZE16269)

ID: MINDBREEZE16269
Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS
Severity: 6.1 Medium
Status: Final
First published: February 2, 2021
CVEs: CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023

Summary

Removing this legacy Libraries fixes the following CVEs:

When a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed (CVE-2015-9251)
An attacker can generally change the default value for any option provided to a function that takes an "options" argument, which is a fairly common pattern in JavaScript (CVE-2019-113589
Passing HTML from untrusted sources to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code (CVE-2020-11022)
Passing HTML containing <option> elements to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code (CVE-2020-11023)

Remediation

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

Mindbreeze InSpire 20.5 Release (Version 20.5.1.835)
Mindbreeze InSpire SaaS 20.5 Release (Version 20.5.1.835)

Removed Legacy Versions of Javascript Libraries: jQuery and RequireJS (MINDBREEZE16269)

Summary

Remediation

Social Media

Security

Support

Newsletter

Language