Vulnerability in DOMPurify in One Identity Manager local HTML5 documentation (4380318)

When installing the Identity Manager Client Tools, there is an option to install a local HTML copy of the product documentation on the target server. The install is also done by default on servers hosting Identity Manager Web Applications.

This documentation was created using 3rd party software, where recently a vulnerability in the component DOMPurify in versions before 3.2.4 has been detected.

The vulnerability issue was identified as Defect #505057.

Hotfix for this Defect, 505057, can be downloaded from the links below: (please choose the correct hotfix version in accordance with the Identity Manager version installed):

For 9.0 LTS 

NOTE: An upgrade to CU4 is required before applying the hotfix

• To download the fix for 9.0 CU4, please click here. 

For 9.1.x

NOTE: An upgrade to 9.1.3 is required before applying the hotfix

• 9.1.3
  • To download the fix for 9.1.3, please click here.

For 9.2.x

NOTE: An upgrade to 9.2.1 or 9.2.2 is required before applying the hotfix

• 9.2.1
  • To download the fix for 9.2.1, please click here.
• 9.2.2
  • To download the fix for 9.2.2, please click here.

For 9.3.x

• 9.3.0
  • To download the fix for 9.3.0, please click here.
• 9.3.1
  • Version 9.3.1 is not affected by this defect.

For Identity Manager On Demand Starling Edition:

• This security Hotfix has been successfully applied to all Identity Manager On-Demand Starling Edition instances. No action is required.

NOTE: The hotfix is provided as a Transport file. For detailed steps on how to install Transports into Identity Manager, please follow the steps in our Knowledge Article: How to import a Transport Hotfix in Identity Manager.