AEM 6.5 uses jQuery 1.12.4 that has vulnerabilities. Will it be upgraded to 3.6 ? | Adobe Higher Education
Skip to main content
surenk
surenk
Level 4
January 3, 2023

AEM 6.5 uses jQuery 1.12.4 that has vulnerabilities. Will it be upgraded to 3.6 ?

  • January 3, 2023
  • 4 답변들
  • 11864 조회

jQuery 1.12.4 has security vulnerabilities (listed below). Are there any plans to upgrade jQuery on AEM 6.5 to the latest jQuery 3.6.x ? 

Although, we do see a custom jQuery v1.12.4-aem , did Adobe fix some of the vulnerabilities?

 

As of now, even on AEM 6.5.14, comes with jQuery 1.12.4

 

The docs for 6.5.0 states https://experienceleague.adobe.com/docs/experience-manager-65/release-notes/service-pack/ga.html?lang=en#experience-manager-foundation 

CAUTION
AEM includes version 1.12.4 of the jQuery library to provide maximum compatibility with existing custom code. Modifications have been done by Adobe to address known security issues.

 

Vunerabilities in jQuery 1.12.4

1. In jQuery prior to version 3.0.0 is vulnerable to Cross-Site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

2. In jQuery prior to version 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery. extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

3. In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

4 답변

SureshDhulipudi
Community Advisor
SureshDhulipudiCommunity Advisor
Community Advisor
January 4, 2023

you can upgrade to latest jQuery version in your site /vendor / * folders

 

please see below thread for more details

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/pen-test-vulnerabilities-for-jquery-used-by-aem/td-p/397684

    aanchal-sikka
    Community Advisor
    aanchal-sikkaCommunity Advisor
    Community Advisor
    January 4, 2023

    One can always use the latest version of jquery for the sites.

    The one provided with AEM is used in AEM with Touch UI. It might be older than latest available jquery versions.

    Aanchal Sikka
      nitesh_kumar-1
      Adobe Employee
      nitesh_kumar-1Adobe Employee
      Adobe Employee
      January 4, 2023

      Hi @surenk ,

       

      As the product code is dependent on the older version of Jquery it is being shipped with it, however, from time to time the vulnerabilities reported are fixed by engineering and shipped with the product. The version you see jQuery v1.12.4-aem is one of those that have been modified.

       

      • If you still see those vulnerabilities or new ones, that needs to be reported to engineering through a support ticket which can be addressed by them.
      • If you have to use the specific version for your project needs, you can override it as others have suggested.

      Hope this helps!

       

      Regards,

      Nitesh

       

        C
        Cyberbot
        April 13, 2023

        Hello. Surenk did ask a closed-ended question that was not addressed: "did Adobe fix some of the (jQuery v1.12.4) vulnerabilities?" Can you provide an answer to this question by either answering: "Yes", "No", or "I/We don't know". Otherwise, your response isn't really assisting much in risk assessment of the product. Thanks, in advance, for your time.

          S
          Adobe Employee
          shamithru45Adobe Employee
          Adobe Employee
          February 11, 2025

          AEM applies security patches to 1.12.4. The 1.12.4-aem contains the fixes for CVEs CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023.

           

           

          약관 및 조건Accessibility statement

          Loading footer...