jasonparallel
commented
1 month ago Was there an issue that was fixed in 1.13.2 but not included in the release notes (https://jqueryui.com/changelog/1.13.2/)?
Open goiaalexandru opened 1 month ago
jasonparallel
commented
1 month ago Was there an issue that was fixed in 1.13.2 but not included in the release notes (https://jqueryui.com/changelog/1.13.2/)?
d-ellis
commented
1 month ago I don't think there's anything to fix. The CVE proof of concept is so vague it can apply to any app, even if it doesn't use any dependencies. It boils down to "If you take user input and directly insert it into your page, bad things can happen" which is not a jquery-ui problem
mgol
commented
4 weeks ago This CVE looks bogus, I'm in the process of disputing it.
mgol
commented
4 weeks ago For now, I contacted Snyk and they already took it down from their database: https://security.snyk.io/package/npm/jquery-ui
d-ellis
commented
4 weeks ago @mgol I was going to wait until Monday for a response from the reporter and then figure out how to dispute it, but that saves me a job
mgol
commented
4 weeks ago I’ve submitted a CVE request to Mitre to reject this CVE, I’m waiting for a response now.
I was thinking about waiting for the response first, but the whole report looked so shady and people get bombarded by security requests now that I thought I should get the ball rolling ASAP.
d-ellis
commented
3 weeks ago I submitted a request to Sonatype and they have also removed it from their database
riverar
commented
3 weeks ago Thanks @mgol! US Gov. Information Assurance processes are claiming jQuery provided mitigation strategies (upgrading to latest jQuery UI). Have you been in touch with them or is this just (likely) a copy paste error?
mgol
commented
3 weeks ago I've released jQuery UI 1.14.1 today. But there's nothing there to address this report as there's nothing to address, it's bogus. I have not been in touch with them.
riverar
commented
3 weeks ago I'll handle pushing back in that channel and (hopefully) getting a correction out, thanks for confirming.
Package: jquery-ui@1.13.1 or above. Vulnerability Title: [CVE-2024-30875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability Description: A Cross-Site Scripting (XSS) vulnerability exists in jquery-ui@1.13.1, allowing a remote attacker to execute arbitrary code and potentially obtain sensitive information. This vulnerability is triggered via a crafted payload targeting the window.addEventListener component.
CVSS Score: 5.1 (Medium) CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVE: CVE-2024-30875
Extra: https://cvefeed.io/vuln/detail/CVE-2024-30875
Steps to Reproduce:
Use jquery-ui@1.13.1 or above in a web application. Send a crafted payload to exploit the window.addEventListener component. The payload is improperly neutralized, leading to XSS vulnerability. Please consider patching this vulnerability in the next release.
Thank you!