Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jquery-ui and jquery-ui-dialog due to high rated CVEs #13598

Closed
fdellwing opened this issue Oct 12, 2018 · 3 comments
Closed

Update jquery-ui and jquery-ui-dialog due to high rated CVEs #13598

fdellwing opened this issue Oct 12, 2018 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@fdellwing
Copy link
Contributor

fdellwing commented Oct 12, 2018
edited

There is a neat little helper for testing for JS dependencies with security flaws (retirejs).

In Matomo are two libraries used that have a high CVE rating (score above 7.0):

jquery-ui 1.10.4 (CVE-2016-7103)
jquery-ui-dialog 1.10.4 (CVE-2016-7103)

There are some more libraries with medium CVEs and some really high CVEs in the tests, but these should be reviewed independently.

Complete scan: matomo.retirejs.txt
@Findus23 Findus23 added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Oct 12, 2018
@Findus23
Copy link
Member

Findus23 commented Oct 12, 2018
edited

related to #12961
I guess we need to update all frontend libraries and then do extensive testing and bugfixing to make everything work again.

But until then updating to 1.12 may not break anything.

@Findus23
Copy link
Member

Now that I took a closer look at the issue, I remember that I already read about CVE-2016-7103.

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

https://www.npmjs.com/advisories/127

As a search for closeText only shows hardcoded strings, Matomo shouldn't be vulnerable.

Nevertheless all frontend libraries need to be updated, so I'm closing this in favor of #12961

@Findus23 Findus23 added the answered For when a question was asked and we referred to forum or answered it. label Oct 14, 2018
@fdellwing
Copy link
Contributor Author

Just a hint: There might be plugins that use user input in these case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Findus23 @fdellwing