@jenrol
Summary
jQuery version 2.2.4 has an XSS vulnerability.
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
See CVE-2020-11022 for details.
Your Environment
- Matomo Version: 4.1.1
- PHP Version: 7.4.7
- Server Operating System: Amazon Linux
- Additionally installed plugins: none
@sgiehl
Thanks for creating the issue. We haven't yet update jQuery as it caused problems with our Wordpress plugin. Once we have solved it I guess we will update it at least in the next major release. See https://github.com/matomo-org/wp-matomo/issues/314
Also I'm note sure if those vulnerabilities apply for Matomo (if you have a proof of concept for any of them in Matomo, it would be great if you could report it to https://matomo.org/security/).
I don't know if the XSS is really applicable for Matomo, it's very likely that it's not. It just popped up in a pentest report and I wanted to let you know. It was classified as an unverified medium level issue, so it's not a dealbreaker for us.
@tsteur
FYI we applied the recommended patch for this one in https://github.com/matomo-org/matomo/commit/3aeb55f0020597c044f85e58b190bfe9eb42ebf3#diff-c1ed6b08f25739fbcb946deed857f1b4a1aaaf560af98a8e7256fecf129fa967R8 . I'm quite certain we can close this one?
closing this one for now as the fix is already applied