Mantis Bug Tracker - Forums


https://mantisbt.org/forums/

Out of date jquery in 2.27.0

https://mantisbt.org/forums/viewtopic.php?t=33212

Page 1 of 1

Out of date jquery in 2.27.0

Posted: 07 Jan 2025, 18:47
by acoder2020
Tenable found that the installed jquery with Mantis 2.27.0 is out of date and thus subject to multiple XSS vulnerabilities.

URL : https://mantis.genetics.emory.edu/js/jq ... 2.4.min.js
Installed version : 2.2.4
Fixed version : 3.5.0

Could we look at getting this updated with a current jquery file (3.5.0 as of now)

Re: Out of date jquery in 2.27.0

Posted: 07 Jan 2025, 18:55
by atrol
Known issue see https://mantisbt.org/bugs/view.php?id=26357

Did Tenable just tell that JQuery is outdated and vulnerable in general, or did they provide details about how this can be used to attack MantisBT?

Re: Out of date jquery in 2.27.0

Posted: 07 Jan 2025, 19:05
by acoder2020
1) Downloaded the latest jquery 3.7.1 and placed in the mantisbt-2.27.0/js directory

2) Updated mantisbt-2.27.0/core/constant_inc.php

Code: Select all

# JQuery
# hashes acquired with command 'cat file.js | openssl dgst -sha256 -binary | openssl enc -base64 -A'
define( 'JQUERY_VERSION', '3.7.1' );
define( 'JQUERY_HASH', 'sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=' );
Checked the console with Inspector did not see any new errors, so I'm running with this.

Re: Out of date jquery in 2.27.0

Posted: 07 Jan 2025, 19:06
by acoder2020
No just a general error that there are multiple XSS vulnerabilities with sites that use out of date jquery

Re: Out of date jquery in 2.27.0

Posted: 07 Jan 2025, 19:28
by acoder2020
Note that I just backed out that change to 3.7.1 due to a new issue I found in 2.27.0

Code: Select all

# inactive:
#define( 'JQUERY_VERSION', '3.7.1' );
#define( 'JQUERY_HASH', 'sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=' );

# active: 
define( 'JQUERY_VERSION', '2.2.4' );
define( 'JQUERY_HASH', 'sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44=' );
Backing out this change did not resolve the issue in 2.27.0.

Will come back to this.

Re: Out of date jquery in 2.27.0

Posted: 07 Jan 2025, 20:10
by acoder2020
Just needed to complete Database Update from the 2.27.0 upgrade.

Putting jquery 3.7.1 back into play.

Re: Out of date jquery in 2.27.0

Posted: 18 Sep 2025, 08:25
by aguadecoco
acoder2020 wrote: 07 Jan 2025, 20:10 Just needed to complete Database Update from the 2.27.0 upgrade.

Putting jquery 3.7.1 back into play.
Im planning to update the JQuery.
Have you encountered any problems since you uploaded the jquery version?

Re: Out of date jquery in 2.27.0

Posted: 19 Sep 2025, 13:37
by acoder2020
No problems with the new jquery
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited