This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. Upstream issue: https://github.com/knockout/knockout/issues/1244 Upstream patch: https://github.com/knockout/knockout/pull/2345 https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb
External References: https://snyk.io/vuln/npm:knockout:20180213
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2019:4069 https://access.redhat.com/errata/RHSA-2019:4069
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2019:4071 https://access.redhat.com/errata/RHSA-2019:4071
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14862