jQuery 2.1.4 Cross-site Scripting (XSS) vulnerability

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • partomas
    Active Community Member
    • Sep 2018
    • 331

    jQuery 2.1.4 Cross-site Scripting (XSS) vulnerability

    Hello, we was reported that jQuery 2.1.4, has Cross-site Scripting (XSS) vulnerability and our system can be misused. For more details https://www.cvedetails.com/vulnerabi...ery-2.1.4.html

    There are a sample jQuery 2.1.4: .../client/espo.min.js Might be it would be good to use more secure versions?
  • Chukach
    Junior Member
    • Jul 2021
    • 1

    #2
    Good day
    Latest jquery, version 2 still have some vulnerabilities

    and remediation is updating to the latest jquery, version 3, but the whole project is written on jquery, version 2 as I understand.

    Any idea how this vulnerability can be resolved?


    ZAP Scanning Report

    Description The identified library jquery, version 2.2.4 is vulnerable.
    URL client/espo.min.js?r=1625519810
    Method GET
    Evidence ,m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};function s(a){var b="length"in a&&a.length,c=n.type(a);return"function"!==c&&!n .i sWindow(a)&&(!(1!==a.nodeType||!b)||("array"===c|| 0===b||"number"==typeof b&&0<b&&b-1 in a))}n.fn=n.prototype={jquery:m,
    URL client/espo.min.js?r=1625516753
    Method GET
    Evidence ,m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};function s(a){var b="length"in a&&a.length,c=n.type(a);return"function"!==c&&!n .i sWindow(a)&&(!(1!==a.nodeType||!b)||("array"===c|| 0===b||"number"==typeof b&&0<b&&b-1 in a))}n.fn=n.prototype={jquery:m,
    Instances 2
    Solution Please upgrade to the latest version of jquery.
    Other information CVE-2020-11023

    CVE-2020-11022

    CVE-2015-9251

    CVE-2019-11358
    Reference https://github.com/jquery/jquery/issues/2432

    http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

    http://research.insecurelabs.org/jquery/test/

    https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

    https://nvd.nist.gov/vuln/detail/CVE-2019-11358

    https://nvd.nist.gov/vuln/detail/CVE-2015-9251

    https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

    https://bugs.jquery.com/ticket/11974

    https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
    CWE Id 829
    Source ID 3

    Comment

    • tarasm
      Super Moderator
      • Mar 2014
      • 573

      #3
      In the most cases, these vulnerabilities are not affected to EspoCRM v6+.
      The new release v7.0.0 will have updated jquery to version 3.5.
      Job Offers and Requests

      Comment

      • esforim
        Active Community Member
        • Jan 2020
        • 2204

        #4
        Can you re-test it on v6 and seem it that is the case Chukach

        Comment

        • yuri
          Member
          • Mar 2014
          • 8440

          #5
          > Any idea how this vulnerability can be resolved?

          I suggest just ignoring them on v6. They are not actual in EspoCRM context.
          If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

          Comment

          • bradaks
            Active Community Member
            • Aug 2017
            • 251

            #6
            Here is a post that was made yesterday on this topic.

            Rapid7 discloses vulnerabilities in 3 open source software used by several small and midsized businesses.

            Comment


            • yuri
              yuri commented
              Editing a comment
              It does not relate to this topic.
          • esforim
            Active Community Member
            • Jan 2020
            • 2204

            #7
            Although it not related to this topic itself... but the vulnerability exist in the current 'stable' right?

            My version at the moment is 6.1.2, they tested on v6.1.6 which I assume affect every version before then... current stable version is 6.1.8 which could have fixed these flaw. I sorta want to try on my own system to see.

            I guess the only good point for us is we don't activate portal so not too many people know about our EspoCRM installation.

            Reading through the article the score is quite low so that in one way a good sign, unlike Akaunting which scored in 8.x range.

            CVE-2021-3539 (CVSS score: 6.3) - Persistent XSS flaw in EspoCRM v6.1.6

            Good news is it seem to be fixed? "For all of these issues, updating to the latest versions of the affected applications will resolve them"
            Last edited by esforim; 07-29-2021, 08:13 AM.

            Comment


            • yuri
              yuri commented
              Editing a comment
              A vulnerability in a library does not mean vulnerability in the application that uses that library.
          Working...