View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 258
IDProjectCategoryView StatusDate SubmittedLast Update
17762Bug reportsSecuritypublic2021-11-25 10:002022-01-05 14:12
ReporterHonkXL2 Assigned Togalads  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version5.2.x 
Summary17762: vulnerable verson of jQuery used
Description

While performing a seurity scan on our servers, we got the result that a potentially vulnerable version of jQuery is used in the latest build of LimeSurvey. I don't know if this is really a problem, but I think it would be a good idea to bring this up-to-date.

Here the result of the security scan:

jQuery is vulnerable to Cross-site Scripting (XSS) attacks.
Installed version: 1.7.2
Fixed version: 1.9.0
Installation path / port: /public_html/third_party/qTip2/libs/jquery/jquery.js

The jQuery(strInput) function does not differentiate selectors
from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was
HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility
when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input
to be HTML if it explicitly starts with the '<' character, limiting exploitability only to
attackers who can control the beginning of a string, which is far less common.
Erkennungsmethode
Checks if a vulnerable version is present on the target host.
Details:

jQuery < 1.9.0 XSS Vulnerability OID: 1.3.6.1.4.1.25623.1.0.141636
jQuery prior to version 1.9.0.

Steps To Reproduce

Steps to reproduce

security scan on server installed LimeSurvey

Expected result

no found

Actual result

vulerable version of jQuery found.

TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)5.2.3 211122
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmariaDB 10.3
Server OS (if known)Debian 11
Webserver software & version (if known)Apache 2.4.x
PHP Version7.4.24

Users monitoring this issue

There are no users monitoring this issue.

Activities

HonkXL2

HonkXL2

2021-11-25 10:02

reporter   ~67546

And there is a second file:

jQuery is vulnerable to Cross-site Scripting (XSS) attacks.
Installed version: 1.8.2
Fixed version: 1.9.0
Installation path / port: /public_html/third_party/devbridge-autocomplete/scripts/jquery-1.8.2.min.js

The jQuery(strInput) function does not differentiate selectors
from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was
HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility
when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input
to be HTML if it explicitly starts with the '<' character, limiting exploitability only to
attackers who can control the beginning of a string, which is far less common.
Erkennungsmethode
Checks if a vulnerable version is present on the target host.
Details:

jQuery < 1.9.0 XSS Vulnerability OID: 1.3.6.1.4.1.25623.1.0.141636

2021-06-11T08:43:18Z
jQuery prior to version 1.9.0.
DenisChenu

DenisChenu

2021-11-25 10:06

developer   ~67548

Last edited: 2021-11-25 10:14

File is here, but not used.

Low (none) security risk
DenisChenu

DenisChenu

2021-11-25 10:06

developer   ~67549

Last edited: 2021-11-25 10:14

Best : remove it ;)
HonkXL2

HonkXL2

2021-11-25 10:25

reporter   ~67557

I think unused files should be removed!?
ollehar

ollehar

2021-11-25 10:36

administrator   ~67558

Feel free to remove it in dev branch, Denis.
DenisChenu

DenisChenu

2021-11-25 11:02

developer   ~67565

Or update third party ?
galads

galads

2021-11-25 11:05

reporter   ~67567

I already synced it to Zoho. I will assign it to @DenisChenu
DenisChenu

DenisChenu

2021-11-25 12:25

developer   ~67569

jquery-autocomplete : https://github.com/LimeSurvey/LimeSurvey/pull/2160
DenisChenu

DenisChenu

2021-11-25 12:37

developer   ~67570

qtip2 : https://github.com/LimeSurvey/LimeSurvey/pull/2161

Issue History

Date Modified Username Field Change
2021-11-25 10:00 HonkXL2 New Issue
2021-11-25 10:02 HonkXL2 Note Added: 67546
2021-11-25 10:02 HonkXL2 Bug heat 250 => 252
2021-11-25 10:06 DenisChenu Note Added: 67548
2021-11-25 10:06 DenisChenu Bug heat 252 => 254
2021-11-25 10:06 DenisChenu Note Added: 67549
2021-11-25 10:14 galads View Status public => private
2021-11-25 10:14 galads Bug heat 254 => 260
2021-11-25 10:14 galads Zoho Project Synchronization => |Yes|
2021-11-25 10:14 galads Assigned To => galads
2021-11-25 10:14 galads Status new => assigned
2021-11-25 10:25 HonkXL2 Note Added: 67557
2021-11-25 10:26 galads View Status private => public
2021-11-25 10:26 galads Zoho Project Synchronization Yes => |Yes|
2021-11-25 10:26 galads Bug heat 260 => 254
2021-11-25 10:36 ollehar Note Added: 67558
2021-11-25 10:36 ollehar Bug heat 254 => 256
2021-11-25 11:02 DenisChenu Note Added: 67565
2021-11-25 11:05 galads Note Added: 67567
2021-11-25 11:05 galads Bug heat 256 => 258
2021-11-25 12:25 DenisChenu Note Added: 67569
2021-11-25 12:37 DenisChenu Note Added: 67570
2021-12-07 18:27 c_schmitz Status assigned => resolved
2021-12-07 18:27 c_schmitz Resolution open => fixed
2022-01-05 14:12 c_schmitz Status resolved => closed