search

buunguyen / topbar

Tiny & beautiful site-wide progress indicator
http://buunguyen.github.io/topbar/
445 stars 43 forks source link

jquery 1.10.2 has known vulnerabilities #10

Closed firmwebsite closed 3 years ago

firmwebsite commented 3 years ago

Hello.

Please could you upgrade the jquery in your source code to the latest version free of known vulnerabilities. While there I did not investigate whether it is possible to exploit the bug, it affects different security code analysis tools output and requires manual efforts to verify whether the bug is exploitable in the sites that use your component. Here the details about the bug:

jquery 1.10.2 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b severity: medium; CVE: CVE-2020-11022, summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ severity: medium; CVE: CVE-2020-11023, summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

buunguyen commented 3 years ago

This library doesn't use jquery. Are you sure you post this to the right repository?

buunguyen commented 3 years ago

Oh I think I know why, the sample page, also in this repo, uses jquery. But the library itself doesn't. I'll upgrade jquery in the sample page anyway.

buunguyen commented 3 years ago

Done. Please upgrade to the latest version.