CVE details and related advisories
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Both issues are assigned medium severity (6.1-6.9) and low to medium impact (3-5) and low exploitability (1.6-3) scores.
For our use case (Cognito UI) we consider it low risk since:
- XSS in general are considered low risk, unless when they are chained with other vulnerabilities, which we’re not aware of at the moment.
- Cognito UI requires authenticated access for most of its functions. The exploitation of this XSS is customer protected (authorized users of Cognito).
- As for un-authenticated vectors:
- As far as we know the login screen is not affected by the jQuery vulnerabilities in question;
- One possible way of getting un-authenticated data into Cognito UI is from the network (e.g. a hostname or something displayed in the detection detail etc.).
We sanitize and/or escape any HTML tags in all such data before it is displayed in the UI.