Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement request: address jQuery security vulnerabilities #1122

Closed
solomchuk opened this issue Feb 22, 2021 · 1 comment · Fixed by #1352
Closed

Enhancement request: address jQuery security vulnerabilities #1122

solomchuk opened this issue Feb 22, 2021 · 1 comment · Fixed by #1352
Assignees
Labels
size-large more than 2 days
Milestone

Comments

@solomchuk
Copy link

Skosmos currently requires jQuery v2.2.* to run, which in practice means v2.2.4 as the latest available. This version contains several security vulnerabilities, including:

  1. CVE-2019-11358
  2. CVE-2015-9251

The jQuery team will not release updates to the old version (see jquery/jquery#4559), instead recommending to upgrade to v3+.

These vulnerabilities have a medium threat score and allow potential cross-site scripting (XSS) attacks. There are mitigating steps we can take via configuration of the web server and PHP to reduce the probability of such attacks succeeding. However, the issue is still being flagged up by the security compliance team of our customer (the European Space Agency).

We would like to know whether there are any plans for migrating Skosmos to use jQuery v3.5+ to address this issue.

As an additional note - there are unofficial patches available for back-porting fixes to some of the above vulnerabilities to older versions of jQuery, see https://github.com/DanielRuf/snyk-js-jquery-565129.

@kouralex
Copy link
Contributor

Thank you for the issue report.

Yes, there exists a plan to upgrade our jQuery version. I have just started the preparation work for it, see PR #1144 that was just merged into the code base. We hope to deliver a Skosmos version with jQuery 3.x as soon as possible and it will be a development focus in the forthcoming sprint(s).

@kouralex kouralex removed their assignment Jun 8, 2022
@osma osma mentioned this issue Sep 6, 2022
4 tasks
@osma osma self-assigned this Sep 6, 2022
@Vainonen Vainonen modified the milestones: Next Tasks, 2.16 Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size-large more than 2 days
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants