Possible XSS vulnerabilities due to Bootstrap/jQuery

RapidScada / scada

Contains Rapid SCADA sources

Apache License 2.0

680 stars 311 forks source link

Possible XSS vulnerabilities due to Bootstrap/jQuery #75

Closed KaiNahrgang closed 2 years ago

KaiNahrgang commented 5 years ago

Hi, the latest version of Rapid Scada still uses jQuery 2.2.3 and Bootstrap 3.3.6, which both have security flaws. Thus, I recommend you to update the libraries to their latest version.

Bootstrap:

CVE-2019-8331 (fix version: 3.4.1)
CVE-2018-14041 (fix version: 4.1.2)
CVE-2018-14040 (fix version: 4.1.2)
CVE-2018-14042 (fix version: 4.1.2)

jQuery:

CVE-2015-9251 (fix version: 3.0.0)

Best regards

2mik commented 5 years ago

Hi, Thank you for the suggestion. Do you have any cases how to hack Rapid SCADA?

KaiNahrgang commented 5 years ago

Hi, to be honest, I haven't looked into it yet, so there is a chance that those are only theoretical flaws.

2mik commented 5 years ago

We will update the versions of the libraries on the next iteration of development of the web app.

2mik commented 2 years ago

Bootstrap will be updated in Rapid SCADA 6.