Security: 3rd-Party Vulnerabilities
Introduction
This page lists known 3rd-party vulnerabilities which are not applicable to the Bloomreach Experience Manager and Bloomreach Experience Manager products but might be applicable to specific implementations of those products, because those products provide (enforce) the affected libraries/dependencies (with a specific version).
The vulnerabilities listed on this page can't be fixed by changing the Bloomreach Experience Manager and/or Bloomreach Experience Manager products or by changing their dependencies. The list is provided to make Bloomreach Experience Manager customers and the Bloomreach Experience Manager community aware so they can take appropriate action in case their implementations are affected.
3rd-Party Vulnarabilities
jQuery
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed (CVE-2015-9251).
Bloomreach Experience Manager and the Wicket framework it uses only do calls to the same origin.
The exception to this is the inclusion of the cms.js script hosted at hippocdn.global.ssl.fastly.net, which is used for usage statistics, and the subsequent calls it makes to include scripts from segment.com and the enabled integrations in there. Yet all those are trusted origins. The inclusion of the cms.js script can also be prevented by disabling usage statistics.
So Bloomreach Experience Manager itself is not vulnerable. Yet customizations might be if they use the jQuery library bundled with the CMS to perform cross-origin Ajax calls to untrusted parties. If your project contains such customizations, please include an explicit dataType option in the external Ajax calls.
Some background: jQuery is bundled with the Wicket framework. Bloomreach Experience Manager 13.4.1 and later use Wicket 7 with JQuery 3.x. Bloomreach Experience Manager 12.6.8 uses Wicket 6 with JQuery 2.x. For future releases, we're looking into upgrading to Wicket 8.