View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
17762Bug reportsSecuritypublic2021-11-25 12:37
ReporterHonkXL2 Assigned Togalads  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version5.2.x 
Summary17762: vulnerable verson of jQuery used
DescriptionWhile performing a seurity scan on our servers, we got the result that a potentially vulnerable version of jQuery is used in the latest build of LimeSurvey. I don't know if this is really a problem, but I think it would be a good idea to bring this up-to-date.

Here the result of the security scan:

jQuery is vulnerable to Cross-site Scripting (XSS) attacks.
Installed version: 1.7.2
Fixed version: 1.9.0
Installation path / port: /public_html/third_party/qTip2/libs/jquery/jquery.js

The jQuery(strInput) function does not differentiate selectors
  from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was
  HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility
  when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input
  to be HTML if it explicitly starts with the '<' character, limiting exploitability only to
  attackers who can control the beginning of a string, which is far less common.
Erkennungsmethode
Checks if a vulnerable version is present on the target host.
Details:
    
jQuery < 1.9.0 XSS Vulnerability OID: 1.3.6.1.4.1.25623.1.0.141636
jQuery prior to version 1.9.0.
Steps To ReproduceSteps to reproduce
------------------------------
security scan on server installed LimeSurvey

Expected result
-------------------------
no found

Actual result
-----------------
vulerable version of jQuery found.
TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)5.2.3 211122
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmariaDB 10.3
Server OS (if known)Debian 11
Webserver software & version (if known)Apache 2.4.x
PHP Version7.4.24

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

HonkXL2

HonkXL2

2021-11-25 10:02

reporter   ~67546

And there is a second file:

jQuery is vulnerable to Cross-site Scripting (XSS) attacks.
Installed version: 1.8.2
Fixed version: 1.9.0
Installation path / port: /public_html/third_party/devbridge-autocomplete/scripts/jquery-1.8.2.min.js

The jQuery(strInput) function does not differentiate selectors
  from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was
  HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility
  when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input
  to be HTML if it explicitly starts with the '<' character, limiting exploitability only to
  attackers who can control the beginning of a string, which is far less common.
Erkennungsmethode
Checks if a vulnerable version is present on the target host.
Details:

jQuery < 1.9.0 XSS Vulnerability OID: 1.3.6.1.4.1.25623.1.0.141636
    
2021-06-11T08:43:18Z
jQuery prior to version 1.9.0.
DenisChenu

DenisChenu

2021-11-25 10:06

developer   ~67548

Last edited: 2021-11-25 10:14

File is here, but not used.

Low (none) security risk
DenisChenu

DenisChenu

2021-11-25 10:06

developer   ~67549

Last edited: 2021-11-25 10:14

Best : remove it ;)
HonkXL2

HonkXL2

2021-11-25 10:25

reporter   ~67557

I think unused files should be removed!?
ollehar

ollehar

2021-11-25 10:36

administrator   ~67558

Feel free to remove it in dev branch, Denis.
DenisChenu

DenisChenu

2021-11-25 11:02

developer   ~67565

Or update third party ?
galads

galads

2021-11-25 11:05

administrator   ~67567

I already synced it to Zoho. I will assign it to @DenisChenu
DenisChenu

DenisChenu

2021-11-25 12:25

developer   ~67569

jquery-autocomplete : https://github.com/LimeSurvey/LimeSurvey/pull/2160
DenisChenu

DenisChenu

2021-11-25 12:37

developer   ~67570

qtip2 : https://github.com/LimeSurvey/LimeSurvey/pull/2161

Issue History

Date Modified Username Field Change
2021-11-25 10:00 HonkXL2 New Issue
2021-11-25 10:02 HonkXL2 Note Added: 67546
2021-11-25 10:02 HonkXL2 Bug heat 250 => 252
2021-11-25 10:06 DenisChenu Note Added: 67548
2021-11-25 10:06 DenisChenu Bug heat 252 => 254
2021-11-25 10:06 DenisChenu Note Added: 67549
2021-11-25 10:14 galads View Status public => private
2021-11-25 10:14 galads Bug heat 254 => 260
2021-11-25 10:14 galads Assigned To => galads
2021-11-25 10:14 galads Status new => assigned
2021-11-25 10:25 HonkXL2 Note Added: 67557
2021-11-25 10:26 galads View Status private => public
2021-11-25 10:26 galads Bug heat 260 => 254
2021-11-25 10:36 ollehar Note Added: 67558
2021-11-25 10:36 ollehar Bug heat 254 => 256
2021-11-25 11:02 DenisChenu Note Added: 67565
2021-11-25 11:05 galads Note Added: 67567
2021-11-25 11:05 galads Bug heat 256 => 258
2021-11-25 12:25 DenisChenu Note Added: 67569
2021-11-25 12:37 DenisChenu Note Added: 67570