Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13
Update Fuel's jquery
Fuel is currently running on jquery 1.7.1. The current version is 3.6.4
What's involved in upgrading Fuel to run this?
It seems many of the 3rd party jquery plugins are no longer supported or will not run on the newer jquery. The "jqx" and "fuel" javascripts under ./assets/js/ break if the newer version is used.
While 1.7.1 is fine for running a vanilla Fuel install, it's becoming increasingly difficult to build custom fields (that use 3rd party plugins) and maintain support for CKEditor and its plugins.
Comments
Vulnerable javascript library: jQuery
version: 1.7.1
script uri: https://metadata.marinebiodiversity.org/fuel/modules/fuel/assets/js/jquery/jquery.js?c=-62169983925
Details:
In jQuery version before 1.9.0b1 selector interpreted as HTML. This could lead to potential vulnerabilities (https://bugs.jquery.com/ticket/11290).
Solution: jQuery version 1.9.0b1 has been released to address the issue. Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party
CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
Solution: jQuery version 1.12.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). NOTE: Fix was reverted back in 1.12.2, so version 1.12.3 and
above but below 3.0.0-beta1 are vulnerable as well. Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
CVE-2019-11358: jQuery versions below 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. An unsanitized
source object containing an enumerable proto property could extend the native Object.prototype. Please refer following resources for more details: https://blog.jquery.com/2019/04/10/jquery-3-4-0-
released/, https://nvd.nist.gov/vuln/detail/CVE-2019-11358, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b, https://nvd.nist.gov/vuln/detail/CVE-2019-11358.
jQuery versions below 3.5.0 used a regex in its jQuery.htmlPrefilter method. This regex which is used to ensure that all tags are XHTML-compliant could introduce a vulnerability to Cross-site
Scripting(XSS) attack. Please refer to vendor documentation (https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and https://jquery.com/upgrade-guide/3.5/) for the security fix details.
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(),
and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Please refer https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 and https://nvd.nist.gov/vuln/
detail/CVE-2020-11022 for details.
Found on the following pages (only first 10 pages are reported):
https://metadata.marinebiodiversity.org/fuel/login/5a6e566c6243396b59584e6f596d3968636d513d
https://metadata.marinebiodiversity.org/fuel/login/pwd_reset
https://metadata.marinebiodiversity.org/fuel/login/
https://metadata.marinebiodiversity.org/fuel/login/robots.txt
See https://forum.getfuelcms.com/discussion/3666/jquery-v3-x-support for resolution