Open cscicchillo opened 3 years ago
GEE currently is running jquery 1.8.3 (portable globe code) and jquery 3.2.1 (geedocs code) both of which contain potentially serious vulnerabilities:
"In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. "
CVE records: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Alternatively, if the huge jump in major version is too involved, upgrade 1.8.3 to 1.12.4 and apply the code patches found here: https://github.com/DanielRuf/snyk-js-jquery-565129
GEE currently is running jquery 1.8.3 (portable globe code) and jquery 3.2.1 (geedocs code) both of which contain potentially serious vulnerabilities:
"In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing
CVE records: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Alternatively, if the huge jump in major version is too involved, upgrade 1.8.3 to 1.12.4 and apply the code patches found here: https://github.com/DanielRuf/snyk-js-jquery-565129