jQueryCore failed at audit scan

[Spiria]

Hello,

We have been audited by a security firm regarding a new website in Processwire. The client is a financial firm and insurance companies are becoming increasingly wary of the vulnerabilities that certain libraries represent. The report mentions the two obsolete jQuery libraries that ProcessWire uses for the admin part. Although the visitor or potential hackers are not aware of the use of these libraries (and the report does indicate that the site is secure), the report still mentions a moderate risk when it comes to the administration of the site. In short, the following libraries are requested to be updated to remove these vulnerabilities.

.../wire/modules/Jquery/JqueryUI/JqueryUI.js .../wire/modules/Jquery/JqueryCore/JqueryCore.js It might be time to upgrade on this side. Is it possible to do this without causing problems in the administration of the site? I can do my own tests, but I would still like to know the reasons why this is not up to date.

[Spiria]

Hi,

I have posted elsewhere this. Without wishing to appear impatient, my client would like to have an answer to give to his skittish insurance company.

We have been audited by a security firm regarding a new website in Processwire. The client is a financial firm and insurance companies are becoming increasingly wary of the vulnerabilities that certain libraries represent. The report mentions the two obsolete jQuery libraries that ProcessWire uses for the admin part. Although the visitor or potential hackers are not aware of the use of these libraries (and the report does indicate that the site is secure), the report still mentions a moderate risk when it comes to the administration of the site. In short, the following libraries are requested to be updated to remove these vulnerabilities.

.../wire/modules/Jquery/JqueryUI/JqueryUI.js .../wire/modules/Jquery/JqueryCore/JqueryCore.js It might be time to upgrade on this side. Is it possible to do this without causing problems in the administration of the site? I can do my own tests, but I would still like to know the reasons why this is not up to date.

[kongondo]

Hi @Spiria,

I have merged your original thread into this one in the Security forum as it closely aligns to your post. Please feel free to delete/amend the extra post as required.

Back to your question:

1 hour ago, Spiria said:

I can do my own tests

I'd suggest to go ahead and do this, just to help you in the interim. 

1 hour ago, Spiria said:

Is it possible to do this without causing problems in the administration of the site

JqueryUI and JqueryCore are used pretty much everywhere in the admin. Probably only Ryan knows about possible side effects. Maybe send him a PM? Alternatively, it might be worth opening a GitHub issue?

Although these libraries are not used in the frontend, as an Insurer, I'd want to be sure the my client locks both their front and back door ?.

[matjazp]

If that's of any help... I haven't tested newer versions since then. Also https://github.com/processwire/processwire-issues/issues/769