jQuery-UI: CVE-2021-41182, CVE-2021-41183, CVE-2021-41184

roundcube / roundcubemail

The Roundcube Webmail suite

https://roundcube.net

GNU General Public License v3.0

5.78k stars 1.62k forks source link

jQuery-UI: CVE-2021-41182, CVE-2021-41183, CVE-2021-41184 #8455

Closed vvoitiuk closed 2 years ago

vvoitiuk commented 2 years ago

Hi, pentest-tools.com says that jqueryUI 1.12.0 is vulnerable to these:

https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
https://bugs.jqueryui.com/ticket/15284
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc

alecpl commented 2 years ago

From what I see we're not using any of the vulnerable features. So, I think the plan will be to do nothing in Roundcube <= 1.5, and upgrade to jQuey-UI 1.13.1 in Roundcube 1.6.

alecpl commented 2 years ago

Done.