Security : vulnerability on jquery

Question

Security : vulnerability on jquery

Closed this issue 3 years ago · 6 comments

Version of jquery bellow 3.0.0 are vulnerables to XSS injection.
The index.html does require a lower version of jquery making the module vulnerable.

ID : CVE-2015-9251
CVSS Score : 6.1
Description : jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Origin : jmespath dependency

Answer 1 · 2020-12-11T20:35:14.000Z

@jamesls - I know this package isn't actively maintained, but any update on this? I'd be happy to make the change myself if you could grant contributor access.

Answer 2 · 2020-12-12T10:00:23.000Z

jQuery isn't used. No action is needed here.

Answer 3 · 2021-07-03T09:21:59.000Z

@darrenmothersele There's an index.html which seems to be the source of the vulnerability warning.

index.html

Answer 4 · 2021-08-24T14:37:58.000Z

This is still an issue. It doesn't get flagged in NPM - but it gets flagged in security scans. And this library is a dependency of the AWS-SDK - so it's challenging to work around.

Does this index.html even need to be in the npm package? It's not part of source.

Answer 5 · 2021-09-16T04:13:17.000Z

I'm facing the same issue. @jamesls, could we expedite a fix for this please? I believe #62 should help.

Answer 6 · 2022-01-19T20:47:14.000Z

#62 has been merged and a 0.16.0 release has been published with this fix.