0032727: jQuery XSS Vulnerability - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0032727	mantisbt	security	public	2023-06-20 05:22	2023-07-03 14:48

Reporter	michael.h	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate
Product Version	2.25.7

Summary	0032727: jQuery XSS Vulnerability
Description	Hello, our vulnerability scan reports a cross-site-scripting vulnerability in mantis version 2.25.7. The XSS vulnerability is reported because of an outdated jquery version. The output of the scan shows: URL : https://mantis.test.de/js/typeahead.jquery-1.3.0.min.js Installed version : 1.3.0 Fixed version : 3.5.0 URL : https://mantis.test.de/js/jquery-2.2.4.min.js Installed version : 2.2.4 Fixed version : 3.5.0 Is query used in mantis or can it be uninstalled? If it is used, will there be an update for the jquery version? Thanks!
Tags	No tags attached.

dregad 2023-06-20 06:26 developer ~0067852	You did not provide any details on the vulnerabilities detected (CVE number, etc), so I can't be sure if it's actually the same, but we are aware of security issues with the outdated version of jQuery we're bundling. Unfortunately, upgrading to jQuery 3.x is not a small undertaking and we don't have the resources for that at the moment. However, the risk is mitigated by use of CSP. I would definitely recommend not to deactivate jQuery. I'm closing this as duplicate of 0026357. Next time please search before opening a new issue.