Support » Fixing WordPress » Use of JavaScript Library with Known Vulnerability

  • Resolved Boldair Développement

    (@boldairdeveloppement)


    Hello
    one of my customers recently had a security audit on one of it’s sites that my agency manages

    and amongst the results were 2 topics of “Use of JavaScript Library with Known Vulnerability”
    Those concern

    Vulnerable Javascript library: jQuery version: 1.12.4 script uri: /wp-includes/js/jquery/jquery.js?x44815
    
    Details: CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432). Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
    ---------------------------------------------
    In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/
    ---------------------------------------------

    and the second one is :

    
    Vulnerable javascript library: jQuery.ui.dialog version: 1.11.4
    
    Details: jquery.ui.dialog version below 1.12.0 is vulnerable to XSS if the user input is allowed to pass through to the closeText property. Please refer vendor documentation (https://github.com/jquery/ api.jqueryui.com/issues/281)for latest security updates.

    Now both those libraries are distributed with Worpress Core (even in the latest 5.4.1)
    and live in /wp-includes/js/ so i can’t really upgrade them (besides upgrading to the latest jQquery 3.x.x would probably break out a lot of plugins out there)

    I’m using Wordfence, which probably protects me from the XSS vulnerabilities in those, still if these have known vulnerabilities I’d like to know if there’s a mitigation in place inside WP itself ? (and if a switch to a not vulnerable major versions of jQuery (like apparently from that report 1.12.1) is something that’s possibly happening at some point ?

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Use of JavaScript Library with Known Vulnerability’ is closed to new replies.