jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks

[rbeckman-nextgen]

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

https://nvd.nist.gov/vuln/detail/CVE-2012-6708

As a workaround, you can do the following:

• Delete webadmin.war from the webapps folder.
• Download latest 1.x jQuery (e.g. 1.12.4)
• Replace the jQuery JavaScript files in: public_html/js public_api_html/lib
• Edit the following HTML files to point to the new version of jQuery public_html/index.html public_api_html/index.html
• Restart Mirth Connect

Imported Issue. Original Details: Jira Issue Key: MIRTH-4425 Reporter: narupley Created: 2019-06-28T08:14:21.000-0700

[rbeckman-nextgen]

ROCKSOLID-4092

Imported Comment. Original Details: Author: christ Created: 2020-04-13T14:40:27.000-0700