Out of date jquery in 2.27.0

[acoder2020]

Tenable found that the installed jquery with Mantis 2.27.0 is out of date and thus subject to multiple XSS vulnerabilities.

URL : https://mantis.genetics.emory.edu/js/jq ... 2.4.min.js
Installed version : 2.2.4
Fixed version : 3.5.0

Could we look at getting this updated with a current jquery file (3.5.0 as of now)

[atrol]

Known issue see https://mantisbt.org/bugs/view.php?id=26357

Did Tenable just tell that JQuery is outdated and vulnerable in general, or did they provide details about how this can be used to attack MantisBT?

[acoder2020]

1) Downloaded the latest jquery 3.7.1 and placed in the mantisbt-2.27.0/js directory

2) Updated mantisbt-2.27.0/core/constant_inc.php

Code: Select all

# JQuery
# hashes acquired with command 'cat file.js | openssl dgst -sha256 -binary | openssl enc -base64 -A'
define( 'JQUERY_VERSION', '3.7.1' );
define( 'JQUERY_HASH', 'sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=' );

Checked the console with Inspector did not see any new errors, so I'm running with this.

[acoder2020]

No just a general error that there are multiple XSS vulnerabilities with sites that use out of date jquery

[acoder2020]

Note that I just backed out that change to 3.7.1 due to a new issue I found in 2.27.0

Code: Select all

# inactive:
#define( 'JQUERY_VERSION', '3.7.1' );
#define( 'JQUERY_HASH', 'sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=' );

# active: 
define( 'JQUERY_VERSION', '2.2.4' );
define( 'JQUERY_HASH', 'sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44=' );

Backing out this change did not resolve the issue in 2.27.0.

Will come back to this.

[acoder2020]

Just needed to complete Database Update from the 2.27.0 upgrade.

Putting jquery 3.7.1 back into play.