View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
16356Bug reportsSecuritypublic2020-06-02 14:522020-06-04 12:32
Reporterthermostat Assigned To 
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version4.2.5 
Summary16356: Current jquery (3.4.1) has an XSS vulnerability
Description

The current jquery version has an XSS vulnerability. This has been fixed in 3.5.x.

See here for an explanation: https://www.infoq.com/news/2020/04/jquery-35-xss-vulnerability-fix/

It seems it works through the html() function, which is used extensively in limesurvey.

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)development
I will donate to the project if issue is resolvedNo
Browser
Database type & versionNot relevant
Server OS (if known)
Webserver software & version (if known)
PHP VersionNot relevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

thermostat

thermostat

2020-06-02 14:54

reporter   ~58136

See PR here: https://github.com/LimeSurvey/LimeSurvey/pull/1429
DenisChenu

DenisChenu

2020-06-02 14:55

developer   ~58137

Yes, but the html injected must have issue :)

Still a good idea to update, thanks for the pull request.
thermostat

thermostat

2020-06-02 15:00

reporter   ~58138

Probably true. Most apparent problem here is that company scanners have started to complain, and now Limesurvey is flagged as insecure. So regardless of it being an actual problem, it is a problem in the eyes of the sysadmins :)
DenisChenu

DenisChenu

2020-06-02 15:19

developer   ~58140

Yes :) sure.
lime_release_bot

lime_release_bot

2020-06-04 12:32

administrator   ~58176

Fixed in Release 4.2.7+200604

Issue History

Date Modified Username Field Change
2020-06-02 14:52 thermostat New Issue
2020-06-02 14:54 thermostat Note Added: 58136
2020-06-02 14:55 DenisChenu Note Added: 58137
2020-06-02 15:00 thermostat Note Added: 58138
2020-06-02 15:19 DenisChenu Note Added: 58140
2020-06-04 12:32 lime_release_bot Note Added: 58176
2020-06-04 12:32 lime_release_bot Status new => closed
2020-06-04 12:32 lime_release_bot Resolution open => fixed