Use of JavaScript Library with Known Vulnerability

Resolved

(@boldairdeveloppement)

Hello
one of my customers recently had a security audit on one of it’s sites that my agency manages

and amongst the results were 2 topics of “Use of JavaScript Library with Known Vulnerability”
Those concern

Vulnerable Javascript library: jQuery version: 1.12.4 script uri: /wp-includes/js/jquery/jquery.js?x44815

Details: CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432). Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
---------------------------------------------
In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/
---------------------------------------------

and the second one is :


Vulnerable javascript library: jQuery.ui.dialog version: 1.11.4

Details: jquery.ui.dialog version below 1.12.0 is vulnerable to XSS if the user input is allowed to pass through to the closeText property. Please refer vendor documentation (https://github.com/jquery/ api.jqueryui.com/issues/281)for latest security updates.

Now both those libraries are distributed with Worpress Core (even in the latest 5.4.1)
and live in /wp-includes/js/ so i can’t really upgrade them (besides upgrading to the latest jQquery 3.x.x would probably break out a lot of plugins out there)

I’m using Wordfence, which probably protects me from the XSS vulnerabilities in those, still if these have known vulnerabilities I’d like to know if there’s a mitigation in place inside WP itself ? (and if a switch to a not vulnerable major versions of jQuery (like apparently from that report 1.12.1) is something that’s possibly happening at some point ?

This topic was modified 3 years, 11 months ago by Boldair Développement.
This topic was modified 3 years, 11 months ago by Boldair Développement. Reason: typo corrections, some reformating

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

3 years, 11 months ago

The library distributed with WP has the necessary security patches back-ported to it. (Not finding the link right now… need more coffee!)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

3 years, 11 months ago

See https://core.trac.wordpress.org/ticket/47020

Take note that core uses jQuery 1.12.4-wp, a patched version of it, and automated audits don’t pick up on the -wp suffix, this is why auditors should always check results manually.

Thread Starter Boldair Développement
(@boldairdeveloppement)

3 years, 11 months ago

@sterndata Thanks for your quick reply. I can now report to my client that those js libraries have been correctly patched with a reference towards the patch 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Use of JavaScript Library with Known Vulnerability’ is closed to new replies.

Use of JavaScript Library with Known Vulnerability

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics