Jump to content

jQueryCore failed at audit scan


Spiria
 Share

Recommended Posts

Hello,

We have been audited by a security firm regarding a new website in Processwire. The client is a financial firm and insurance companies are becoming increasingly wary of the vulnerabilities that certain libraries represent. The report mentions the two obsolete jQuery libraries that ProcessWire uses for the admin part. Although the visitor or potential hackers are not aware of the use of these libraries (and the report does indicate that the site is secure), the report still mentions a moderate risk when it comes to the administration of the site. In short, the following libraries are requested to be updated to remove these vulnerabilities.

  • .../wire/modules/Jquery/JqueryUI/JqueryUI.js
  • .../wire/modules/Jquery/JqueryCore/JqueryCore.js

It might be time to upgrade on this side. Is it possible to do this without causing problems in the administration of the site? I can do my own tests, but I would still like to know the reasons why this is not up to date.

 

  • Like 5
Link to comment
Share on other sites

  • Spiria changed the title to jQueryCore and security audit warnings

Hi,

I have posted elsewhere this. Without wishing to appear impatient, my client would like to have an answer to give to his skittish insurance company.

We have been audited by a security firm regarding a new website in Processwire. The client is a financial firm and insurance companies are becoming increasingly wary of the vulnerabilities that certain libraries represent. The report mentions the two obsolete jQuery libraries that ProcessWire uses for the admin part. Although the visitor or potential hackers are not aware of the use of these libraries (and the report does indicate that the site is secure), the report still mentions a moderate risk when it comes to the administration of the site. In short, the following libraries are requested to be updated to remove these vulnerabilities.

  • .../wire/modules/Jquery/JqueryUI/JqueryUI.js
  • .../wire/modules/Jquery/JqueryCore/JqueryCore.js

It might be time to upgrade on this side. Is it possible to do this without causing problems in the administration of the site? I can do my own tests, but I would still like to know the reasons why this is not up to date.

Link to comment
Share on other sites

Hi @Spiria,

I have merged your original thread into this one in the Security forum as it closely aligns to your post. Please feel free to delete/amend the extra post as required.

Back to your question:

1 hour ago, Spiria said:

I can do my own tests

I'd suggest to go ahead and do this, just to help you in the interim. 

1 hour ago, Spiria said:

Is it possible to do this without causing problems in the administration of the site

JqueryUI and JqueryCore are used pretty much everywhere in the admin. Probably only Ryan knows about possible side effects. Maybe send him a PM? Alternatively, it might be worth opening a GitHub issue?

Although these libraries are not used in the frontend, as an Insurer, I'd want to be sure the my client locks both their front and back door ?.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...