JQuery Security Issue in Application

Dominik
edited July 2020 in LPAR2RRD
Hello, 

I'm running LPAR2RRD and STOR2RRD in an security sensitiv environment. Our internal security scan showed us that the application is using an outdated version of jquery. Are any plans to update it in the near future?

Here's the result of our scan:

According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.
Solution:
Upgrade to JQuery version 3.5.0 or later.
See Also https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Systeme
Output
  Installed version : 1.11.3
  Fixed version     : 3.5.0

Comments

  • Hello, 

    both applications use jquery 3.2.1, not 1.11.3 as your scanner detected. It's bundled in minified library in html/jquery/libs.min.js


  • Thanks for the reply. Might be a false alarm on the version. But still not 3.5. ;)
  • Hello,

    I have the same concern as Dominik, my internal security scan reports the same vulnerability.

    I have 2 questions :
    • If both applications use jquery 3.2.1, can we remove jquery-1.11.3.min.js ?
    • Is there any plan to migrate applications to jquery 3.5 to fix the cross site scripting vulnerabilities ?
  • Jirka
    edited September 2020
    Hi Francois,

    if you're running recent version of LPAR2RRD (6.00 and newer), you can safely remove jquery-1.11.3.min.js from html/jquery, it's not used anymore.

    We'll try to integrate jquery v3.5 into the upcoming versions, unless there are any complications.
  • Now I see, we use old jQuery version in virtual appliance opening page, we'll fix it in the next release.
Sign In or Register to comment.