Package uses outdated versions of JQuery and Bootstrap with vulnerabilities

[GeekInTheNorth]

Hello,

We use the GETA Not Found Handler on a number of our client builds. Recently we had a penetration test and they highlighted vulnerabilities with order 3rd party resources used by the GETA Not Found Handler tool. The penetration tester understood that the functionality was locked behind a user login so the risk was downgraded to medium.

The following is the feedback we received.

Using the Burpsuite scanner, we detected the use of jquery version 3.2.1.slim.min at /EPiServer/Geta.NotFoundHandler.Optimizely/container, (<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js") which has the following vulnerabilities:

• CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
• CVE-2020-11022: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
• CVE-2020-11023: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

We also detected the use of bootstrap version 4.0.0 (<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css")>), which has the following vulnerabilities:

• CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover
• CVE-2018-14041: XSS in data-target property of scrollspy
• CVE-2018-14040: XSS in collapse data-parent attribute
• CVE-2018-14042: XSS in data-container property of tooltip
• CVE-2016-10735: XSS is possible in the data-target attribute.

We were not able to identify any XSS vulnerabilities in the time allowed, however, we have observed XSS vulnerabilities in other sites that have reported this vulnerability – especially those that use the tooltip/popover function.

[ljvictorio]

Duplicate of Issue #50

[GeekInTheNorth]

@marisks Thank you for sorting this out, I do appreciate it :)