Use of JavaScript Library with Known Vulnerability
-
Hello
one of my customers recently had a security audit on one of it’s sites that my agency managesand amongst the results were 2 topics of “Use of JavaScript Library with Known Vulnerability”
Those concernVulnerable Javascript library: jQuery version: 1.12.4 script uri: /wp-includes/js/jquery/jquery.js?x44815 Details: CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432). Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates. --------------------------------------------- In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/ ---------------------------------------------
and the second one is :
Vulnerable javascript library: jQuery.ui.dialog version: 1.11.4 Details: jquery.ui.dialog version below 1.12.0 is vulnerable to XSS if the user input is allowed to pass through to the closeText property. Please refer vendor documentation (https://github.com/jquery/ api.jqueryui.com/issues/281)for latest security updates.
Now both those libraries are distributed with Worpress Core (even in the latest 5.4.1)
and live in /wp-includes/js/ so i can’t really upgrade them (besides upgrading to the latest jQquery 3.x.x would probably break out a lot of plugins out there)I’m using Wordfence, which probably protects me from the XSS vulnerabilities in those, still if these have known vulnerabilities I’d like to know if there’s a mitigation in place inside WP itself ? (and if a switch to a not vulnerable major versions of jQuery (like apparently from that report 1.12.1) is something that’s possibly happening at some point ?
- The topic ‘Use of JavaScript Library with Known Vulnerability’ is closed to new replies.