Upgrade to jQuery version 3.5.0 or above #17272
Comments
ghost
added
the
Enhancement
|
Thanks for creating the issue. We haven't yet update jQuery as it caused problems with our Wordpress plugin. Once we have solved it I guess we will update it at least in the next major release. See matomo-org/matomo-for-wordpress#314 Also I'm note sure if those vulnerabilities apply for Matomo (if you have a proof of concept for any of them in Matomo, it would be great if you could report it to https://matomo.org/security/). |
|
I don't know if the XSS is really applicable for Matomo, it's very likely that it's not. It just popped up in a pentest report and I wanted to let you know. It was classified as an unverified medium level issue, so it's not a dealbreaker for us. |
|
FYI we applied the recommended patch for this one in 3aeb55f#diff-c1ed6b08f25739fbcb946deed857f1b4a1aaaf560af98a8e7256fecf129fa967R8 . I'm quite certain we can close this one? |
|
closing this one for now as the fix is already applied |
tsteur
added
not-in-changelog
|
This issue has been mentioned on Matomo forums. There might be relevant details there: https://forum.matomo.org/t/jquery-vulnerability-in-latest-matamo/46861/2 |
|
@tsteur, I don't understand: you wrote:
But in https://demo.matomo.cloud/index.php if you open the browser console, then type: you'll get: |
|
@heurteph-ei The title of this issue didn't match the description. The description was more related to a XSS issue in jQuery 2.2.4. |
Summary
jQuery version 2.2.4 has an XSS vulnerability.
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
See CVE-2020-11022 for details.
Your Environment
The text was updated successfully, but these errors were encountered: