Magento 2.4.5: Vulnerable jQuery-Validation1.19.5 XSS Issue Detected

[ReneeLai]

Preconditions and environment

• Magento version: 2.4.5-P12
• Our website is currently running on Magento 2.4.5-p12, which means we are using jQuery validation v1.19.5. We have identified an XSS vulnerability within jQuery validation, and since the showLabel method is extensively used in Magento, we would like to confirm if Magento has any specific mitigation or hardening in place for this XSS risk.

ref: https://security.snyk.io/package/npm/jquery-validation/1.19.5

Steps to reproduce

none

Expected result

none

Actual result

none

Additional information

The jquery-validation version 1.20.0 or later addresses this vulnerability. Since this specific jquery-validation component was originally rewritten by the vendor, we would like to understand Magento's plan to mitigate this risk. Is an upgrade by the vendor being considered or already in progress?

Release note

No response

Triage and priority

• [x] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [ ] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.