Meraki

Community

JQuery 1.2 < 3.5.0 Multiple XSS vulnerability

Shrinivasa
New here
‎Sep 7 2022 4:50 AM
‎Sep 7 2022 4:50 AM

JQuery 1.2 < 3.5.0 Multiple XSS vulnerability

Below vulnerability reported on VAPT. 

Plugin Name - JQuery 1.2 < 3.5.0 Multiple XSS

CVE-Combined - CVE-2020-11022,CVE-2020-11023

Synopsis - The remote web server is affected by multiple cross site scripting  vulnerability.

Description - 

According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.

Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios
required for successful exploitation do not exist on devices running a PAN-OS release.

Solution - Upgrade to JQuery version 3.5.0 or later.

See also -

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://security.paloaltonetworks.com/PAN-SA-2020-0007

 

Plugin Output---

URL : http://x.x.x.x/third_party/jquery/jquery-1.10.1.min.js
Installed version : 1.10.1
Fixed version : 3.5.0

 

Wondering if above vulnerability is applicable for Product Model - MS425-16 &  firmware 12.28, anyone please help on this. Also share if any other document available which describes more about this vulnerability in Meraki platform.

Labels:
0 Kudos
3 Replies 3
Crocker
A model citizen
‎Sep 7 2022 10:35 AM
‎Sep 7 2022 10:35 AM

We bumped into this after our first Nessus vulnerability scan against the first few Meraki devices (MR33's and MX67C's) we implemented circa 2020. I can't remember if we reached out to Meraki support about it or not, but our workaround/permafix was to disable the Local Device Status Page across the board.

 

You can temporarily re-enable the Local Device Status Page if/when you need it.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 7 2022 3:04 PM
‎Sep 7 2022 3:04 PM

The current stable firmware release is 14.33.1.  Is there any reason you're using the much older 12.28 release still?

 

I don't know, but I suspect if you move to a current firmware release the security issue will be resolved.

0 Kudos
Claudiosm
Here to help
2 weeks ago
2 weeks ago

I ran into this today from a pen-tester as well. The Firmware is updated to the latest version; the only "solution" seems to be just to disable completely the management of the local device status page.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.