@heurteph-ei opened this Issue on August 17th 2022

Expected Behavior / Current Behavior

we continiously scan all our Products and Packages which we use in our Production Environment.
Afterwards we decide if a found CVE is vaiable or not. We have Matomo Version 4.10.1 in use and our Scanning Tool of Choice (Sonartype NexusIQ) found the following Vulnerability:

CVW-2022-31160: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160
CVE CVE: https://cwe.mitre.org/data/definitions/79.html

Explanation (shortened):

The jquery-ui package is vulnerable to Cross-Site Scripting (XSS) attacks. In cases where the checkboxradio widget is initialized within a label element, the _getCreateOptions() function in checkboxradio.js will erroneously decode any encoded HTML elements within the label when the .checkboxradio( "refresh" ) function is invoked.

Description:

Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Detection:

The application is vulnerable by using this component if users are able to manipulate the contents of label elements that also contain a checkboxradio widget.

So, I have to kind of evaluate, if this CVE is viable or not. Actually, I would say it´s not, cause Matomo doesn´t use the described functions or „label elements that contain a checkboxradio widget“.

Please let me know if I´m wrong. :wink:

Any Plans of Updating jQuery UI in future Releases?

Possible Solution

Remove any reference to jQuery/jQuery UI

See also

https://github.com/matomo-org/matomo/issues/17272

Context

https://forum.matomo.org/t/potential-jquery-ui-vulnerability-cve-2022-31160/46970

@MatomoForumNotifications commented on August 17th 2022

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/potential-jquery-ui-vulnerability-cve-2022-31160/46970/2

@sgiehl commented on August 17th 2022 Member

We may fully remove jQuery UI as part of https://github.com/matomo-org/matomo/issues/16033
Besides that we are not aware of any CVE reported for jQuery UI that really affects Matomo.
As we are not using many parts of jQuery UI anymore, most reports affect parts we don't use at all - like this one.

This Issue was closed on August 17th 2022
Powered by GitHub Issue Mirror