Fixed Jquery 3.3.1 Cross-Site Scripting Vulnerability

ActorMike

ActorMike

Well-known member
Affected version
2.x
Last edited:
So we have already updated to 3.4.1 for 2.2 as we tend to mostly do jQuery updates with second point releases as there can be some minor BC breaks at times, but I'll move this to bugs and we can investigate an update for 2.1.

There shouldn't be an obvious issue manually updating, though you'd likely need to overwrite the jQuery files and keep them named 3.3.1 so the changes get picked up. (Otherwise you would also need some direct file changes.) There are also patches: https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Worth noting that I don't believe the particular report has any sort of exploitability in XF.
 
For developers, please check out this thread as there may be some actions you need to take to future proof your code against a change that will happen in a future version of jQuery:

xenforo.com

XF 2.1 - XenForo 2.1.8 and above uses jQuery 3.4.1 (deprecation warning)

We had already upgraded XF 2.2 to use jQuery 3.4.x but we have made the decision to bring that change forward to account for a potential XSS in jQuery 3.3.1, which you can read about here: https://xenforo.com/community/threads/jquery-3-3-1-cross-site-scripting-vulnerability.177281/ To be clear...
xenforo.com xenforo.com
 
Mike said:
we have already updated to 3.4.1 for 2.2 as we tend to mostly do jQuery updates with second point releases as there can be some minor BC breaks at times, but I'll move this to bugs and we can investigate an update for 2.1.
Click to expand...
Hopefully this offers another new perspective. Moving forward, I hope you will consider PCI compliance to prioritize updates for 3rd party vulnerabilities even if XF isn't necessarily exploitable. The forums are selling memberships and payment providers require your site/server is PCI compliant or the merchant is subject to penalties and other liabilities. Thanks for your swift reply! You guys operate with excellence!

Anyone manually updating in the interim, please report your findings if you were successful or ran into any problems with add-ons.
 
All of our default payment providers are inherently PCI compliant as your server doesn't actually touch or process any payment details directly so that's not really a valid concern here.
 
Chris D said:
All of our default payment providers are inherently PCI compliant as your server doesn't actually touch or process any payment details directly so that's not really a valid concern here.
Click to expand...
We are required to enter our website or server IP address. The scan is then performed for PCI compliance. You either pass or fail. They don't care about anything else. This particular vulnerability has existed since April 2019. I see no benefit in using a Jquery that has a known security issue in it for over 10 months and apparently was your intention to go over 12 months using it. Thanks for your consideration.

pci-compliance.jpg
 
The fix in jQuery 3.5 also has some backwards compatibility breaks (we know of 1 area where it broke something and these are subtle to find) and we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
 
Mike said:
we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
Click to expand...

Please keep in mind that the banks/credit card companies don't take this into consideration. They fail your PCI compliance scan which in turn can either cause your rates to increase, or lose your merchant account.
 
Mike said:
The fix in jQuery 3.5 also has some backwards compatibility breaks (we know of 1 area where it broke something and these are subtle to find) and we're not aware of an exploitable situation given the type of data that we pass into the affected function, so we've taken the decision to defer the jQuery 3.5 switch to 2.2.
Click to expand...
Any updates @Mike ? We are failing PCI compliance per the JQuery issue. I understand what you are saying, but the bank doesn't care, they want a passing report. Thanks for your consideration.

Advisories-
CVE-2020-11023

CVE-2020-11022
JQuery.jpgJQuery2.jpg
 
If it's significant to your particular situation, I would recommend manually replacing the referenced jQuery file with the latest version. The URL would still say 3.4.1 but the contents would differ. Note that 3.5.0 was a totally broken release so you'd have to use 3.5.1.

Note that there may potentially be some side effects due to the backwards compatibility issues the change creates.
 
@ActorMike
Any update from your solution to pass the PCI scan?
I gotta to do mine today and it got 6 errors, 3 of them are related to jquery 3.3.1 detected. I need to find out where they are and replace or update them.
I hate doing this and it seems the merchant account company wants you to do this every 3 months or they will penalize you.

Screen Shot 2020-08-11 at 2.47.12 PM.webp
 
@Andy.N
Backup your /js/vendor/jquery/jquery-3.4.1.min.js file.
Download the compressed, production jQuery 3.5.1
Overwrite /js/vendor/jquery/jquery-3.4.1.min.js with the jquery-3.5.1.min.js file.

Run your scan.
I'm not getting any errors yet on the forum by running jquery-3.5.1.min.js in place of jquery-3.4.1.min.js however as @Mike says, it may have some conflicts so reverting back after you pass may be a good idea until XF incorporates it officially.
 

Similar threads

S
  • Question Question
XF 2.2 Cross site scripting and Shellcode
Replies
5
Views
713
Paul B
P
Falkor
Tapatalk - Cross-Site Scripting Vulnerability
Replies
10
Views
2K
D.O.A.
D.O.A.
TheBigK
  • Locked
XenForo & Cross Site Scripting Attacks
2 3
Replies
43
Views
5K
Paul B
P
Back
Top Bottom