FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rt -- XSS via jQuery

Affected packages
4.2.0 <= rt42 < 4.2.16
4.4.0 <= rt44 < 4.4.4

Details

VuXML ID 416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42
Discovery 2019-03-05
Entry 2019-03-06

BestPractical reports:

The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.

References

CVE Name CVE-2015-9251
URL https://docs.bestpractical.com/release-notes/rt/4.2.16
URL https://docs.bestpractical.com/release-notes/rt/4.4.4