jQuery < 1.9.0 XSS Vulnerability

Neil

I don't know if I am concerned about nothing here?

I scan my infrastructure with Greenbone / OpenVAS, to identify potential security weaknesses.

On my cryptpad (5.2.1) installation, I get a few reports of medium risk (6.1) vulnerabilities, relating to old versions of jQuery in differents parts of the cryptpad installation / components (below).

Most do not concern me, being outside the web root, but I wonder if the selenium-webdriver (even though seemingly just there for testing) might be problematic?:

/home/cryptpad/cryptpad/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Does anyone have any thoughts?

/usr/local/share/.cache/yarn/v6/npm-jquery-ui-1.13.2-de03580ae6604773602f8d786ad1abfb75232034-integrity/node_modules/jquery-ui/external/jquery-1.8.2/jquery.js

/usr/local/share/.cache/yarn/v6/npm-jquery-ui-1.13.2-de03580ae6604773602f8d786ad1abfb75232034-integrity/node_modules/jquery-ui/external/jquery-1.8.1/jquery.js

/usr/local/share/.cache/yarn/v6/npm-jquery-ui-1.13.2-de03580ae6604773602f8d786ad1abfb75232034-integrity/node_modules/jquery-ui/external/jquery-1.8.0/jquery.js

/usr/local/share/.cache/yarn/v6/npm-superagent-1.8.3-2b7d70fcc870eda4f2a61e619dd54009b86547c3-integrity/node_modules/superagent/docs/jquery.js
/
usr/local/share/.cache/yarn/v6/npm-jquery-ui-1.13.2-de03580ae6604773602f8d786ad1abfb75232034-integrity/node_modules/jquery-ui/external/jquery-1.8.3/jquery.js

Mathilde

Hello,

I believe there is no issue with this, surely that jQuery version could use an update but there is no particular risk of Cross Site Scripting (XSS) due to how it's used there.

I'll let one of our developers maybe add some details about this.

Neil

Mathilde

there is no particular risk of Cross Site Scripting (XSS) due to how it's used there.

Thanks for your thoughts on this!

Mathilde

Fixed in v5.3.0!