The exposure from this vulnerability is expected to be low, and it is unlikely that this vulnerability has been exploited.
Summary
An XSS vulnerability has been announced in jQuery, a JavaScript library used by COmanage Registry. Library versions earlier than 3.5.0 are affected, which means all versions of Match prior to commit 242d43daf6 are likely to be affected.
Severity
Based on the jQuery announcement, the severity of this vulnerability is unknown. However, due to nature of the Match software, the severity is likely to be Low or Medium, depending on the deployment pattern.
Exposure
The exposure from this vulnerability is expected to be low, and it is unlikely that this vulnerability has been exploited.
Recommended Mitigation
Deployments using the develop branch may pull the latest code from that branch.
Alternate Mitigations
As there have not yet been any formal releases of Match, there are no alternate mitigations.
Discussion
The jQuery.htmlPrefilter() method used for jQuery manipulation methods used regex in versions prior to 3.5.0 that could introduce a cross-site scripting (XSS) vulnerability.
jQuery methods such as .text() and .html() are used in COmanage for manipulating some elements in a rendered View and for generating the content of dialog boxes. While in general text passed to these methods contains no user input, some text passed to dialog boxes may contain usernames or identifiers. Although the nature of this vulnerability is not fully described in the jQuery release notes, it is conceivable that a carefully constructed string entered by a user could trigger the vulnerability. While the COmanage developers do not believe it is likely that this vulnerability has been exploited or is likely to be easily exploited, upgrading as soon as practical is strongly recommended.
References
- CO-1929
- 2020-05-29 Registry Advisory