Security advisory: ProCall Enterprise WebService – jquery versions between 1.2 and 3.5

Release date	21.02.2022
Reference	PROCALL-1761
Criticality	MEDIUM
CVSS-Score	6.1

Description

In jQuery versions greater than or equal to 1.2 and prior to 3.5.0, passing HTML from untrusted sources-even after cleanup-to any of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) could execute untrusted code. This issue has been fixed in jQuery 3.5.0.

The local WebService that is delivered with the UCServer is affected by this vulnerability.

CVE-2020-11022 Detail

Affected versions

This vulnerability affects all previously released versions of ProCall 7 Enterprise and ProCall 6 Enterprise.

7.0, 7.1, 7.2, 7.3 (all sub-versions)
6.0, 6.1, 6.2, 6.3, 6.4 (all sub-versions)

ProCall Business

21H2

Versions with bug fixes

estos is preparing updates with fixes for the vulnerability. Customers and partners can then obtain the updates via the known channels and follow the normal update process:

ProCall Enterprise 7.3.5, release available: ProCall 7.3.5 Enterprise Release Notes
ProCall Enterprise 6.4.24 release available: Download archive
ProCall Business 22H1 release available: ProCall Business 22H1 (Build 1.5939) Release Notes

End-of-life

Please note the following: If you are using older estos product versions that are no longer supported (End-of-Life has been reached), we strongly recommend updating your software to the current versions for security reasons.
This is because security patches are only regularly developed and made available for current software versions.