Fixed Jquery 3.3.1 Cross-Site Scripting Vulnerability

Affected version
2.x

ActorMike

Active member
I did my PCI compliance scan today and it failed because we are using a version of JQuery prior to 3.4.0
jQuery Prior to 3.4.0 Cross-Site Scripting Vulnerability- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Is it okay to manually update it, or will it crash the forum?

Mike
 
Last edited:

Mike

XenForo developer
Staff member
So we have already updated to 3.4.1 for 2.2 as we tend to mostly do jQuery updates with second point releases as there can be some minor BC breaks at times, but I'll move this to bugs and we can investigate an update for 2.1.

There shouldn't be an obvious issue manually updating, though you'd likely need to overwrite the jQuery files and keep them named 3.3.1 so the changes get picked up. (Otherwise you would also need some direct file changes.) There are also patches: https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Worth noting that I don't believe the particular report has any sort of exploitability in XF.
 

Chris D

XenForo developer
Staff member
For developers, please check out this thread as there may be some actions you need to take to future proof your code against a change that will happen in a future version of jQuery:

 

ActorMike

Active member
we have already updated to 3.4.1 for 2.2 as we tend to mostly do jQuery updates with second point releases as there can be some minor BC breaks at times, but I'll move this to bugs and we can investigate an update for 2.1.
Hopefully this offers another new perspective. Moving forward, I hope you will consider PCI compliance to prioritize updates for 3rd party vulnerabilities even if XF isn't necessarily exploitable. The forums are selling memberships and payment providers require your site/server is PCI compliant or the merchant is subject to penalties and other liabilities. Thanks for your swift reply! You guys operate with excellence!

Anyone manually updating in the interim, please report your findings if you were successful or ran into any problems with add-ons.
 

Chris D

XenForo developer
Staff member
All of our default payment providers are inherently PCI compliant as your server doesn't actually touch or process any payment details directly so that's not really a valid concern here.
 

ActorMike

Active member
All of our default payment providers are inherently PCI compliant as your server doesn't actually touch or process any payment details directly so that's not really a valid concern here.
We are required to enter our website or server IP address. The scan is then performed for PCI compliance. You either pass or fail. They don't care about anything else. This particular vulnerability has existed since April 2019. I see no benefit in using a Jquery that has a known security issue in it for over 10 months and apparently was your intention to go over 12 months using it. Thanks for your consideration.

pci-compliance.jpg
 

Mike

XenForo developer
Staff member
The fix in jQuery 3.5 also has some backwards compatibility breaks (we know of 1 area where it broke something and these are subtle to find) and we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
 

ActorMike

Active member
we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.

Please keep in mind that the banks/credit card companies don't take this into consideration. They fail your PCI compliance scan which in turn can either cause your rates to increase, or lose your merchant account.
 

ActorMike

Active member
The fix in jQuery 3.5 also has some backwards compatibility breaks (we know of 1 area where it broke something and these are subtle to find) and we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
Any updates @Mike ? We are failing PCI compliance per the JQuery issue. I understand what you are saying, but the bank doesn't care, they want a passing report. Thanks for your consideration.

Advisories-
CVE-2020-11023

CVE-2020-11022
JQuery.jpgJQuery2.jpg
 

Mike

XenForo developer
Staff member
If it's significant to your particular situation, I would recommend manually replacing the referenced jQuery file with the latest version. The URL would still say 3.4.1 but the contents would differ. Note that 3.5.0 was a totally broken release so you'd have to use 3.5.1.

Note that there may potentially be some side effects due to the backwards compatibility issues the change creates.
 

Andy.N

Well-known member
@ActorMike
Any update from your solution to pass the PCI scan?
I gotta to do mine today and it got 6 errors, 3 of them are related to jquery 3.3.1 detected. I need to find out where they are and replace or update them.
I hate doing this and it seems the merchant account company wants you to do this every 3 months or they will penalize you.

Screen Shot 2020-08-11 at 2.47.12 PM.png
 

ActorMike

Active member
@Andy.N
Backup your /js/vendor/jquery/jquery-3.4.1.min.js file.
Download the compressed, production jQuery 3.5.1
Overwrite /js/vendor/jquery/jquery-3.4.1.min.js with the jquery-3.5.1.min.js file.

Run your scan.
I'm not getting any errors yet on the forum by running jquery-3.5.1.min.js in place of jquery-3.4.1.min.js however as @Mike says, it may have some conflicts so reverting back after you pass may be a good idea until XF incorporates it officially.
 
Top