Fixed Jquery 3.3.1 Cross-Site Scripting Vulnerability

Affected version
2.x

ActorMike

Active member
I did my PCI compliance scan today and it failed because we are using a version of JQuery prior to 3.4.0
jQuery Prior to 3.4.0 Cross-Site Scripting Vulnerability- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Is it okay to manually update it, or will it crash the forum?

Mike
 
Last edited:

Mike

XenForo developer
Staff member
So we have already updated to 3.4.1 for 2.2 as we tend to mostly do jQuery updates with second point releases as there can be some minor BC breaks at times, but I'll move this to bugs and we can investigate an update for 2.1.

There shouldn't be an obvious issue manually updating, though you'd likely need to overwrite the jQuery files and keep them named 3.3.1 so the changes get picked up. (Otherwise you would also need some direct file changes.) There are also patches: https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Worth noting that I don't believe the particular report has any sort of exploitability in XF.
 

Chris D

XenForo developer
Staff member
For developers, please check out this thread as there may be some actions you need to take to future proof your code against a change that will happen in a future version of jQuery:

 

ActorMike

Active member
we have already updated to 3.4.1 for 2.2 as we tend to mostly do jQuery updates with second point releases as there can be some minor BC breaks at times, but I'll move this to bugs and we can investigate an update for 2.1.
Hopefully this offers another new perspective. Moving forward, I hope you will consider PCI compliance to prioritize updates for 3rd party vulnerabilities even if XF isn't necessarily exploitable. The forums are selling memberships and payment providers require your site/server is PCI compliant or the merchant is subject to penalties and other liabilities. Thanks for your swift reply! You guys operate with excellence!

Anyone manually updating in the interim, please report your findings if you were successful or ran into any problems with add-ons.
 

Chris D

XenForo developer
Staff member
All of our default payment providers are inherently PCI compliant as your server doesn't actually touch or process any payment details directly so that's not really a valid concern here.
 

ActorMike

Active member
All of our default payment providers are inherently PCI compliant as your server doesn't actually touch or process any payment details directly so that's not really a valid concern here.
We are required to enter our website or server IP address. The scan is then performed for PCI compliance. You either pass or fail. They don't care about anything else. This particular vulnerability has existed since April 2019. I see no benefit in using a Jquery that has a known security issue in it for over 10 months and apparently was your intention to go over 12 months using it. Thanks for your consideration.

pci-compliance.jpg
 

Mike

XenForo developer
Staff member
The fix in jQuery 3.5 also has some backwards compatibility breaks (we know of 1 area where it broke something and these are subtle to find) and we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
 

ActorMike

Active member
we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
Please keep in mind that the banks/credit card companies don't take this into consideration. They fail your PCI compliance scan which in turn can either cause your rates to increase, or lose your merchant account.
 

ActorMike

Active member
The fix in jQuery 3.5 also has some backwards compatibility breaks (we know of 1 area where it broke something and these are subtle to find) and we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
Any updates @Mike ? We are failing PCI compliance per the JQuery issue. I understand what you are saying, but the bank doesn't care, they want a passing report. Thanks for your consideration.

Advisories-
CVE-2020-11023

CVE-2020-11022
JQuery.jpgJQuery2.jpg
 

Mike

XenForo developer
Staff member
If it's significant to your particular situation, I would recommend manually replacing the referenced jQuery file with the latest version. The URL would still say 3.4.1 but the contents would differ. Note that 3.5.0 was a totally broken release so you'd have to use 3.5.1.

Note that there may potentially be some side effects due to the backwards compatibility issues the change creates.
 
Top