search

mojolicious / mojo

:sparkles: Mojolicious - Perl real-time web framework
https://mojolicious.org
Artistic License 2.0
2.67k stars 580 forks source link

Potential Issue with jQuery Version in Mojolicious Public Files #2197

Open stomoiaga-bd opened 2 months ago

stomoiaga-bd commented 2 months ago

Steps to reproduce the behavior

  1. Clone the Mojolicious repository.
  2. Navigate to the file located at /Mojolicious/resources/public/mojo/jquery/jquery.js.
  3. The jQuery version found here is 3.4.0, which is vulnerable to CVE-2020-11022.

    Expected behavior

    Mojolicious should use jQuery version 3.5.0 or later in all public-facing assets to avoid exposure to known vulnerabilities.

Actual behavior

The file /Mojolicious/resources/public/mojo/jquery/jquery.js references jQuery version 3.4.0, which is vulnerable to security issues, including CVE-2020-11022. Updating to version 3.5.0 or later is recommended to mitigate this risk.

kraih commented 2 months ago

There is nothing in Mojolicious that could be exploited with a frontend JavaScript library. We should probably upgrade at some point though or remove jQuery.