ID

Project

Category

View Status

Date Submitted

Last Update

0034416

mantisbt

security

public

2024-04-23 09:37

2024-04-25 03:49

Reporter

Assigned To

Priority

normal

Severity

major

Reproducibility

always

Status

resolved

Resolution

duplicate

Platform

Linux

OS

RedHat Enterprise Linux

OS Version

9.3

Product Version

2.26.1

Summary

0034416: NESSUS reports vuln for jquery and typahead

Description

Our Nessus scanner reports the following vulnerabilities:

jquery is version 2.2.4, should be 3.5.0+
typeahead.js is 1.3.0, should be 3.5.0+

Related:
CVE-2020-11022
CVE-2020-11023

Thanks!

Additional Information

From ./library/README.md:

MantisBT external libraries

This directory contains a copy the 3rd-party libraries used by MantisBT.

The version and status of each is summarized below:

----snip---

library / plugin	version	status
jquery	2.2.4	unpatched

----snip---

| typeahead.js | 1.3.0 | unpatched |

Tags

No tags attached.

Attached Files

mantis-jquery-typeahead.png (18,914 bytes)

mantis-jquery-typeahead.png (18,914 bytes)

dregad 2024-04-23 10:47 developer ~0068860 Last edited: 2024-04-23 10:48	Thanks for the report. With regards to the jQuery vulnerability, this is a known issue that has already been reported to us several times (see 0026357). Unfortunately, we are currently on the latest available 2.x release, which is no longer receiving patches. Considering the number of breaking changes introduced by version 3.x, upgrading is not a small undertaking, and would require extensive testing to ensure full compatibility; sadly we do not have the bandwidth for taking this on at the moment. Contributions are welcome. typeahead.js is 1.3.0, should be 3.5.0+ According to https://github.com/corejavascript/typeahead.js/releases, the latest available release is 1.3.4, not sure where you are getting the 3.5.0+ reference from. The changelog does not mention any specific vulnerabilities fixed between 1.3.0 and 1.3.4, although the 1.3.1 release includes updates of numerous npm dependencies to resolve vulnerability warnings. Follow-up in 0034417 for upgrade to 1.3.4.

Mickoloh 2024-04-23 11:01 reporter ~0068861	Hi! The 3.5.0+ was what Nessus indicated as the version in which the vulnerability was fixed - sorry about that! I'll definitely check out the 1.3.4 upgrade documentation. Thank you!