Update the vulnerable Out-of-date jQuery version 1.11.4 to the latest version
Closed this issue · 3 comments
aparveen commented
Path: URL: https://secscan.maps.arcgis.com/apps/CrowdsourceManager/index.html
Name: Out-of-date Version (jQuery UI Autocomplete)
Severity: Medium
Certainty: 90%
File with vulnerability is - jquery-ui.js
Identified Version : 1.11.4
Latest Version : 1.12.1 (in this branch)
Known CVE: CVE-2016-7103
Details:
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
aparveen commented
This is the new jquery-ui library they are asking to upgrade to:
jquery-ui-1.12.1.custom.zip
We would need to replace the jquery-ui.js and jquery-ui.css in our vendor folder with the ones in the zip file
ashishchoure commented
Dev Checklist
| Items | Is required | Status | Comments |
|---|---|---|---|
| Required NLS change? | No | NA | |
| Required Backward compatibility? | No | NA | |
| Required 508? | No | NA | Manager application doesn’t support accessibility |
| Need Sanitize? | No | NA | |
Impact Analysis Report
| Impacted Areas | Comments |
|---|---|
| Have Configuration changes? | No |
| Have Runtime changes? | Yes |
| Impact on RTL | Yes |
| Components to have an impact after library update | Web map list |
| Details Panel | |
| Geo Form and Comment Form | |
| Date Picker | |
| Data viewer (Data table) |
aparveen commented
Verified in qa