Just thought you guys ought to know that the delivered patch for CVE-2025-10280 (IIQSR-940) breaks many of our plugins. In particular, the delivered patch to web.xml will reject any files with query. in the name, which includes various jQuery plugins.
So a file path like: /identityiq/plugin/PluginName/ui/js/jquery.bindings.js will result in a 404 after the patch.
This is because the configuration in web.xml (line 972) includes this file pattern:
<!-- all *Query.json
ex. /define/roles/modeler/simpleEntitlementQuery.json -->
Query.,
All paths are lowercased before comparison. It appears that SailPoint did catch this in their testing, as they do ignore any paths containing /jquery/, but not jQuery libraries at other paths.
The quickest fix is to add /jquery. to the web.xml as an ignored path. However, I can’t rely on IIQ customers being willing to fiddle with an official security patch this way.
Meanwhile, I’ve begun patching several of Instrumental ID’s plugins that don’t already use a packager to move the jQuery libraries to a /jquery/ subfolder. (Using a packager like webpack or Angular is the ultimate correct solution.)