Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stale JavaScript libraries in use #11017

Closed
SimonWaters opened this issue Dec 15, 2016 · 3 comments
Closed

Stale JavaScript libraries in use #11017

SimonWaters opened this issue Dec 15, 2016 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@SimonWaters
Copy link

In testing 3.0.0-rc3 I ran a tool which uses retirejs to assess state of JavaScript included.

It noted that Angular 1.4.10 and JQuery 2.2.3 are in use, and that these both have known security issues.

I noted also it is possible to generate reports that trigger Angular expression parsing errors, so it might be possible to create a stored XSS issue via accessing constructors in Angular expressions, although I haven't demonstrate this. Migrating to a patched release of Angular may be easier than demonstrating Piwik isn't vulnerable to this (I'm still working out how I created parsing errors and will raise a ticket when I know).

I note also reports are only shown to the current owner, so this may not be usefully exploitable even if it is exploitable.

@mattab
Copy link
Member

mattab commented Dec 15, 2016

Thanks for the report. In #11021 we upgrade AngularJS but there was no change to the sanitize library, so we should be safe. We'll upgrade jquery in subsequent point release

@mattab
Copy link
Member

mattab commented Feb 20, 2017

We need to update all JS libraries used at some point. Would be great if you (or someone else) could help with this 👍

@mattab mattab closed this as completed Feb 20, 2017
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Feb 20, 2017
@rolandinsh
Copy link

rolandinsh commented Nov 7, 2018

what about jQuery update?
Our security tests don't like outdated libraries (jQuery 2.2.3) :|
will just open this again :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Development

No branches or pull requests

3 participants