Meraki

Community

MX80 reporting jquery XSS vulnerability on internal vulnerability scans

CameronGoS
Here to help
‎Jul 14 2020 1:56 PM
‎Jul 14 2020 1:56 PM

MX80 reporting jquery XSS vulnerability on internal vulnerability scans

Our MX80 is reporting a jquery XSS vulnerability on its web interface from our internal vulnerability scans.  This URL displays the jquery info which reports v1.10.1: http://192.168.8.1/third_party/jquery/jquery-1.10.1.min.js

 

We are currently running firmware v14.40 and I've scheduled an upgrade to v14.42 but am not expecting that to address this issue.

 

Below is the info from the vulnerability:

Synopsis
The remote web server is affected by multiple cross site scripting vulnerability.

 

Description
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.

 

See Also
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

 

Solution
Upgrade to JQuery version 3.5.0 or later.

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 15 2020 1:41 AM
‎Jul 15 2020 1:41 AM

Are you NATing that port to some server or device?

0 Kudos
In response to PhilipDAth
CameronGoS
Here to help
‎Jul 15 2020 6:32 AM
‎Jul 15 2020 6:32 AM

No, it isn't showing up publicly, just locally from internal vulnerability scans.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.