The exposure from this vulnerability is expected to be low, and it is unlikely that this vulnerability has been exploited.

Summary

An XSS vulnerability has been announced in jQuery, a JavaScript library used by COmanage Registry. Library versions earlier than 3.5.0 are affected, which means all versions of Match prior to commit 242d43daf6 are likely to be affected.

Severity

Based on the jQuery announcement, the severity of this vulnerability is unknown. However, due to nature of the Match software, the severity is likely to be Low or Medium, depending on the  deployment pattern.

Exposure

The exposure from this vulnerability is expected to be low, and it is unlikely that this vulnerability has been exploited.

Recommended Mitigation

Deployments using the develop branch may pull the latest code from that branch.

Alternate Mitigations

As there have not yet been any formal releases of Match, there are no alternate mitigations.

Discussion

The jQuery.htmlPrefilter() method used for jQuery manipulation methods used regex in versions prior to 3.5.0 that could introduce a cross-site scripting (XSS) vulnerability.

jQuery methods such as .text() and .html() are used in COmanage for manipulating some elements in a rendered View and for generating the content of dialog boxes. While in general text passed to these methods contains no user input, some text passed to dialog boxes may contain usernames or identifiers. Although the nature of this vulnerability is not fully described in the jQuery release notes, it is conceivable that a carefully constructed string entered by a user could trigger the vulnerability. While the COmanage developers do not believe it is likely that this vulnerability has been exploited or is likely to be easily exploited, upgrading as soon as practical is strongly recommended.

References


  • No labels