06-16-2020 12:15 AM
Hi team
We received this vulnerability in the report by our vendor for our PA
"
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by a cross site scripting vulnerability
"
and solution for this its saying "Upgrade to JQuery version 3.5.0 or later.".
I researched my way through google and only found this helpful
But not getting the precise solution...anyone else faced this?
Current we are running PAN OS 8.1.13
Thanks in advance
06-24-2020 06:15 AM
Got below UPDATE from TAC-
JQuery - cross site scripting vulnerability CVE-2020-11022.
> This is a false positive by the vulnerability scanner. Palo Alto Networks Web Mgmt GUI utilises a very lightweight subset of jquery function and does not impact by the CVE reported in jquery.
06-18-2020 05:59 AM
Hi @shubhamG ,
I'd check with support for this one as JQuery isn't even listed on the 8.1 OSS listing.
It's only listed on the 9.0 and 9.1 OSS lists where it's shown as version 1.12.2
Cheers,
-Kiwi.
06-24-2020 06:15 AM
Got below UPDATE from TAC-
JQuery - cross site scripting vulnerability CVE-2020-11022.
> This is a false positive by the vulnerability scanner. Palo Alto Networks Web Mgmt GUI utilises a very lightweight subset of jquery function and does not impact by the CVE reported in jquery.
08-24-2020 03:45 AM
Dear Team,
We had already raised(before-2months) about this jquery version vulnerability and PA TAC suggested that below,
=================================================================================
Currently there is no scheduled release date for the JQuery 3.5.X library within PAN-OS however it is is presently going through QA and being evaluated for future release. Please note PAN-OS uses a small subset of the JQuery function and so it is not impacted by the cross-site scripting vulnerability in said JQuery version. In addition engineering released signature coverage for CVE-2020-11022 and CVE-2020-11023 in Content update 8281 with Threat ID 57176 which detects HTTP Cross Site Scripting Vulnerability. Please apply it to traffic including GlobalProtect if you are using it.
=================================================================================
So that time it was under QA testing and there were no ETA provided so please advise for any permanent solution provided for this vulnerability.
Thanks,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
