Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

XSS vulnerability on JQuery < 3.5.0 - ProGet 5.3.4



  • Hi,

    An internal security scan has flagged the ProGet website as running a vulnerable version of JQuery.
    Do you have plans to upgrade the version of jQuery used in ProGet?
    If so, can you share when this might be released?

    This is the URL that is being reported https://<server>/resources/InedoLib/jquery-1.11.3.min.js?900.0.0.20

    The CVE for this vulnerability is:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

    This page details the issue, the mitigation, and any issues that may be caused.
    https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

    Thanks,


  • inedo-engineer

    Hello;

    We are aware of the vulnerabilities.

    Our usage of this library is minimal, and we do not use it in a manner that would impact product security (i.e. "passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). So please consider this a "false positive".

    Upgrading the library to 3.5.0 would add no value to ProGet users, but it would provide significant risk of UI regressions and risk of introducing unknown security vulnerabilities, that haven't yet been reported.


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation