JQuery 1.2 < 3.5.0 Multiple XSS vulnerability

Shrinivasa
New here

JQuery 1.2 < 3.5.0 Multiple XSS vulnerability

Below vulnerability reported on VAPT. 

Plugin Name - JQuery 1.2 < 3.5.0 Multiple XSS

CVE-Combined - CVE-2020-11022,CVE-2020-11023

Synopsis - The remote web server is affected by multiple cross site scripting  vulnerability.

Description - 

According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.

Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios
required for successful exploitation do not exist on devices running a PAN-OS release.

Solution - Upgrade to JQuery version 3.5.0 or later.

See also -

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://security.paloaltonetworks.com/PAN-SA-2020-0007

 

Plugin Output---

URL : http://x.x.x.x/third_party/jquery/jquery-1.10.1.min.js
Installed version : 1.10.1
Fixed version : 3.5.0

 

Wondering if above vulnerability is applicable for Product Model - MS425-16 &  firmware 12.28, anyone please help on this. Also share if any other document available which describes more about this vulnerability in Meraki platform.

2 Replies 2
Crocker
A model citizen

We bumped into this after our first Nessus vulnerability scan against the first few Meraki devices (MR33's and MX67C's) we implemented circa 2020. I can't remember if we reached out to Meraki support about it or not, but our workaround/permafix was to disable the Local Device Status Page across the board.

 

You can temporarily re-enable the Local Device Status Page if/when you need it.

PhilipDAth
Kind of a big deal
Kind of a big deal

The current stable firmware release is 14.33.1.  Is there any reason you're using the much older 12.28 release still?

 

I don't know, but I suspect if you move to a current firmware release the security issue will be resolved.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels