Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#49735 closed defect (bug) (invalid)

The jquery-migrate and jquery packages are vulnerable to Cross-Site Scripting (XSS).

Reported by: tlterry's profile tlterry Owned by:
Milestone: Priority: normal
Severity: critical Version:
Component: External Libraries Keywords:
Focuses: Cc:

Description

Hi WordPress,

I am having the following issue. Can you please have a look issue how do we resolve it? Thank you.

EXPLANATION
The jquery-migrate and jquery packages are vulnerable to Cross-Site Scripting (XSS). The core.js and jquery.js files use an improper regular expression to check for JavaScript code and /HTML tags. It allows HTML when location.hash is used in the select element and renders it on the webpage, resulting in XSS.

NOTE: This vulnerability has been assigned CVE-2012-6708.

DETECTION
The application is vulnerable by using this component.

RECOMMENDATION
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

ROOT CAUSE
jquery-migrate:1.4.1package/dist/jquery-migrate.min.js( ,1.4.1]
jquery-migrate:1.4.1package/src/core.js( ,1.4.1]
jquery-migrate:1.4.1package/dist/jquery-migrate.js( ,1.4.1]


EXPLANATION
The qunitjs package is vulnerable to Cross-Site Scripting (XSS). The appendHeader and appendFilteredTest functions in qunit.js do not escape the text when using the setUrl function to render a URL (href) value. An attacker can exploit this vulnerability by influencing the URL value, which when rendered causes XSS attacks.

DETECTION
The application is vulnerable by using this component.

RECOMMENDATION
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

ROOT CAUSE
jquery-migrate-1.4.1.tgzpackage/qunit/qunit.js( , 1.22.0)


File path
jquery-migrate.js located at /wp-includes/js/jquery
jquery-migrate.min.js located at /wp-includes/js/jquery

Attachments (1)

security-warning.png (33.9 KB) - added by azaozz 4 years ago.

Download all attachments as: .zip

Change History (2)

#1 @azaozz
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

@tlterry I appreciate you trying to help but could you follow the instructions when creating new trac tickets. Please see the above screenshot. It is not a good idea to post potential security vulnerabilities here.

In addition this report seems to be invalid. The fix is in the jQuery version used in WP and the QUnit version used is 2.9.3, not 1.22.

Last edited 4 years ago by azaozz (previous) (diff)
Note: See TracTickets for help on using tickets.