back to phpList.org

JQuery UI 1.8.1

security
releasecandidate
Tags: #<Tag:0x00007fb245d874e0> #<Tag:0x00007fb245d873a0>

#1

Hello,

I’m noticing that PHPList is using Jquery UI Version 1.8.1, however, there is a XSS vulnerability for using versions lower than 1.10.0

https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-31126/Jquery-Jquery-Ui.html

Locations I could find:

\phplist-3.4.0-RC2\public_html\lists\admin\js\jquery-ui-1.8.1.all.min.js
\phplist-3.4.0-RC2\public_html\lists\admin\ui\default\js\all.js
\phplist-3.4.0-RC2\public_html\lists\admin\ui\default\js\all.min.js

I know that the release candidate updated other Jquery libraries. Perhaps this update can happen concurrently?

Regards,
Kathleen


#2

@kgarland Many thanks for pointing this out. Unfortunately staff developers didn’t have time to finish the upgrade of this and the copy of jQuery on public pages in time for today’s release. Some of the upgrades are upgrades caused UI issues that there wasn’t time to fix.

If you have time you could help by working on upgrading one of the outdated copies in a branch. If you do so please notify the community, here.

One way or another these updates should be included in the next release.


#3

FYI this issue is now in the bug tracker here: https://mantis.phplist.org/view.php?id=19831