search

sonata-project / SonataAdminBundle

The missing Symfony Admin Generator
https://docs.sonata-project.org/projects/SonataAdminBundle
MIT License
2.11k stars 1.26k forks source link

Multiple security vulnerabilities - Javascript #5654

Closed eyeskiller closed 3 years ago

eyeskiller commented 5 years ago

Environment

Symfony 3.4

Sonata packages

$ composer show --latest 'sonata-project/*'
sonata-project/admin-bundle              3.51.0 3.51.0 The missing Symfony Admin Generator
sonata-project/block-bundle              3.15.0 3.15.0 Symfony SonataBlockBundle
sonata-project/cache                     1.1.1  2.0.1  Cache library
sonata-project/cache-bundle              2.4.2  3.1.0  This bundle provides caching services
sonata-project/core-bundle               3.17.0 3.17.0 Symfony SonataCoreBundle
sonata-project/datagrid-bundle           2.5.0  3.0.0  Symfony SonataDatagridBundle
sonata-project/doctrine-extensions       1.3.0  1.3.0  Doctrine2 behavioral extensions
sonata-project/doctrine-orm-admin-bundle 3.9.0  3.10.0 Symfony Sonata / Integrate Doctrine ORM into the SonataAdminBundle
sonata-project/exporter                  2.0.1  2.0.1  Lightweight Exporter library
sonata-project/intl-bundle               2.6.0  2.6.0  Symfony SonataIntlBundle

Subject

Security vulnerabilities in javascript libraries

Steps to reproduce

$ npm install -g retire
$ retire

Expected results

No vulnerabilities found :-)

Actual results

builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jqueryui/bower.json
 ↳ jquery-ui 1.10.4 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
/builds/service/service-sme-sk/vendor/eightpoints/guzzle-bundle/EightPoints/Bundle/GuzzleBundle/Resources/public/js/jquery.min.js
 ↳ jquery 1.11.3 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/builds/service/service-sme-sk/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js
 ↳ bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
/builds/service/service-sme-sk/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
 ↳ jquery 3.1.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jquery/dist/jquery.js
 ↳ jquery 2.1.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jquery/dist/jquery.min.js
 ↳ jquery 2.1.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jqueryui/ui/jquery-ui.custom.js
 ↳ jquery-ui-dialog 1.10.4 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
 ↳ jquery-ui-autocomplete 1.10.4
 ↳ jquery-ui-tooltip 1.10.4
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jqueryui/ui/jquery-ui.js
 ↳ jquery-ui-dialog 1.10.4 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
 ↳ jquery-ui-autocomplete 1.10.4
 ↳ jquery-ui-tooltip 1.10.4
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jqueryui/ui/jquery.ui.dialog.js
 ↳ jquery-ui-dialog 1.10.4 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jqueryui/ui/minified/jquery-ui.custom.min.js
 ↳ jquery-ui-dialog 1.10.4 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
 ↳ jquery-ui-autocomplete 1.10.4
 ↳ jquery-ui-tooltip 1.10.4
/builds/service/service-sme-sk/vendor/sonata-project/admin-bundle/src/Resources/public/vendor/jqueryui/ui/minified/jquery-ui.min.js
 ↳ jquery-ui-dialog 1.10.4 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
 ↳ jquery-ui-autocomplete 1.10.4
 ↳ jquery-ui-tooltip 1.10.4
/builds/service/service-sme-sk/vendor/sonata-project/core-bundle/src/CoreBundle/Resources/public/vendor/jquery/dist/jquery.js
 ↳ jquery 2.1.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/builds/service/service-sme-sk/vendor/sonata-project/core-bundle/src/CoreBundle/Resources/public/vendor/jquery/dist/jquery.min.js
 ↳ jquery 2.1.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/builds/service/service-sme-sk/vendor/sonata-project/core-bundle/src/CoreBundle/Resources/public/vendor/bootstrap/dist/js/bootstrap.js
 ↳ bootstrap 3.3.6 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
/builds/service/service-sme-sk/vendor/sonata-project/core-bundle/src/CoreBundle/Resources/public/vendor/bootstrap/dist/js/bootstrap.min.js
 ↳ bootstrap 3.3.6 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
OskarStark commented 5 years ago

cc @silasjoisten

@eyeskiller would you like to test PR #5461

core23 commented 5 years ago

We cannot fix this on the stable branch, because our frontend assets are too tigthly coupled

github-actions[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

bertterheide commented 4 years ago

Will this be solved in #5461?

VincentLanglet commented 3 years ago

@jordisala1991 Do we still have this issue in master ?

jordisala1991 commented 3 years ago

I will try it