@jenrol opened this Issue on February 25th 2021

Summary

jQuery version 2.2.4 has an XSS vulnerability.

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

See CVE-2020-11022 for details.

Your Environment

  • Matomo Version: 4.1.1
  • PHP Version: 7.4.7
  • Server Operating System: Amazon Linux
  • Additionally installed plugins: none
@sgiehl commented on February 25th 2021 Member

Thanks for creating the issue. We haven't yet update jQuery as it caused problems with our Wordpress plugin. Once we have solved it I guess we will update it at least in the next major release. See https://github.com/matomo-org/wp-matomo/issues/314

Also I'm note sure if those vulnerabilities apply for Matomo (if you have a proof of concept for any of them in Matomo, it would be great if you could report it to https://matomo.org/security/).

@jenrol commented on February 25th 2021

I don't know if the XSS is really applicable for Matomo, it's very likely that it's not. It just popped up in a pentest report and I wanted to let you know. It was classified as an unverified medium level issue, so it's not a dealbreaker for us.

@tsteur commented on February 25th 2021 Member
@tsteur commented on March 19th 2021 Member

closing this one for now as the fix is already applied

This Issue was closed on March 19th 2021
Powered by GitHub Issue Mirror