JQuery 1.2 < 3.5.0 Multiple XSS

[andrey lopez]

Hello, good afternoon.

I would like to know if you can help me with a question.

A few days ago I did a vulnerability scan on my VIVO 1.11 server and the "JQuery 1.2 < 3.5.0 Multiple XSS" vulnerability was detected.

The recommendation is to update JQuery to version 3.5 or higher.
Note: The current version of VIVO 1.11 and the version of jQuery.fn.jquery is '1.12.4'.

I would like to know what is the best option to mitigate the vulnerability.
1. Update JQuery library.
2. Update the version of VIVO to 1.13 and if this is the best option, which version of JQuery does it include
3. Some other option.

Thank you very much.

Regards.

[Benjamin Gross]

Hello,

The latest version of VIVO still includes jQuery 1.12.4 (see https://github.com/vivo-project/Vitro/blob/main/webapp/src/main/webapp/templates/freemarker/page/partials/headScripts.ftl#L9).

The best option would be updating jQuery, though I would suspect there are some compatibility issues that would need to be addressed to maintain the app’s functionality. If you attempt this, please let us know how it goes.

Benjamin

_____________________________
Benjamin Gross
API Product Manager, Science Group

Clarivate
clarivate.com
Accelerating innovation

--
You received this message because you are subscribed to the Google Groups "VIVO Tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vivo-tech+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/21cc830d-8760-473b-bf9e-b4f520f98d03n%40googlegroups.com.

Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.