Vulnerabilities in Versions of jQuery Libraries Used by Microsoft Dynamics 365

Certain jQuery libraries in use by Dynamics have known vulnerabilities allowing cross-site scripting (XSS) attacks. This article addresses Dynamics use of these libraries and if these vulnerabilities are present in the latest releases for Dynamics 365 (On-Premises).

jQuery Libraries with identified vulnerabilities which are in use by the Microsoft Dynamics 365 (On-Premises) versions listed:

jQuery version 2.1.1
jQuery.ui version 1.8.21

Microsoft Dynamics 365 versions that use the above libraries reviewed for this vulnerability assessment:

Microsoft Dynamics 365 versions 8.2.2.0112 and above
Microsoft Dynamics CRM versions 7.1.2.1032 and above

For the versions of Dynamics 365 assessed, the out-of-the-box usage of vulnerable functions in the above libraries are safe. Although the libraries are in use depending on the exact build of the products, these known vulnerabilities cannot be used.

Microsoft Dynamics 365 is leveraging stable branch versions of jQuery, this includes 3.x, 2.x, and 1.x. While there are risks associated with specific functionality within the library, all usage of jQuery has been extensively reviewed in our Microsoft SDL process and we have ensured that vulnerable methods are not in use.  The processes that use these jQuery libraries will do so until they are made obsolete (deprecated) by the product.

Information regarding the jQuery vulnerabilities can be found below:

XSS Vulnerability on closeText option of Dialog jQuery UI
Title XSS Vulnerability in jQuery.UI.Dialog
jQuery.UI Changelog for Version 1.12.0 Listing Vulnerabilities