search

eNMS-automation / eNMS

An enterprise-grade vendor-agnostic network automation platform.
https://www.enms.io/
GNU General Public License v3.0
811 stars 161 forks source link

Update JQuery #417

Open SaneiSaya opened 1 month ago

SaneiSaya commented 1 month ago

I am using this tool and I have recently identified that there is a cross site scripting vulnerability in the version of jquery that is used by the eNMS project. I am submitting a request for a change to make this project utilize jquery 3.5.0 or later if possible so this vulnerability is resolved.

Severity: Medium

CVE: https://github.com/advisories/GHSA-gxr4-xjj5-5px2,https://github.com/advisories/GHSA-jpcq-cgw6-v4j6

According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.

Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release. Plugin Output: URL : https://[hostname]/static/lib/jquery/jquery.min.js Installed version : 2.2.4 Fixed version : 3.5.0 Upgrade to JQuery version 3.5.0 or later.

SaneiSaya commented 6 days ago

If you want to fix it manually you can update to the following: Use jQuery 3.6.4, Bootstrap 3.3.7, Bootstrap-Select 1.13.18. I had to update 1 statement in the file in base.js.

Look for this:

$(window).load(function() { NProgress.done(); });

And modify it to this:

$(window).on('load', function() { NProgress.done(); });

I will create a PR