View Issue Details

This bug affects 1 person(s).
 252
IDProjectCategoryView StatusLast Update
08437Bug reportsSecuritypublic2013-12-09 15:22
Reportermas_carpone Assigned Toc_schmitz  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.00+ 
Fixed in Version2.05+ 
Summary08437: Failed Security Test due to old (unsafe?) version of jQuery
Description

Dear all,

Not sure about the severuty and priority for this. For us it is an issue because the failed security teste impeds us to move to the new version. Here are th details:

Description
This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3.

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Recommendation
Update to the latest version of jQuery.

TagsNo tags attached.
Bug heat252
Complete LimeSurvey version number (& build)Version 2.00+ Build 131022
I will donate to the project if issue is resolvedNo
Browser
Database type & versionN/A
Server OS (if known)N/A
Webserver software & version (if known)N/A
PHP VersionN/A

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2013-12-09 15:22

administrator   ~27526

This is fixed in 2.05

Issue History

Date Modified Username Field Change
2013-12-09 11:57 mas_carpone New Issue
2013-12-09 15:22 c_schmitz Note Added: 27526
2013-12-09 15:22 c_schmitz Status new => resolved
2013-12-09 15:22 c_schmitz Fixed in Version => 2.05+
2013-12-09 15:22 c_schmitz Resolution open => fixed
2013-12-09 15:22 c_schmitz Assigned To => c_schmitz
2013-12-09 15:22 c_schmitz Status resolved => closed