Mirth Connect
  1. Mirth Connect
  2. MIRTH-4425

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.9.0
    • Component/s: Server, Web Administrator
    • Labels:
      None

      Description

      jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

      https://nvd.nist.gov/vuln/detail/CVE-2012-6708

      As a workaround, you can do the following:

      • Delete webadmin.war from the webapps folder.
      • Download latest 1.x jQuery (e.g. 1.12.4)
      • Replace the jQuery JavaScript files in:
        • public_html/js
        • public_api_html/lib
      • Edit the following HTML files to point to the new version of jQuery
        • public_html/index.html
        • public_api_html/index.html
      • Restart Mirth Connect

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Nick Rupley
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: