You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2024-11-06 14:23:21

vishvas upadhyay
Member
Registered: 2024-09-27
Posts: 3

Vulnerable jQuery UI Library (v1.13.0) in GLPI 10.0.16

Hello GLPI Community,

I'm currently using GLPI version 10.0.16, and I’ve identified a security vulnerability related to the jQuery UI library in my installation.

Issue: The identified library jQuery UI, version 1.13.0, has known vulnerabilities. The following path indicates where this library is used:

public/lib/base.min.js?v=f0d24bd3e6bab64fa4e3656baefdc9f8880ba503

Evidence: The library version in use:


/*! jQuery UI - v1.13.0 - 2021-11-09
Request: Could someone guide me on how to update the jQuery UI library in GLPI to a secure version? Are there any recommended steps or updates I should follow to address this vulnerability?

Thanks in advance for your help!

GLPI Specialist | Redis Implementation | PHP Customization & Optimization.
Optimizing workflows and enhancing system performance one line of code at a time!.
Current focus: Custom work, caching strategies, and seamless integrations.
Open to connect and collaborate!.

Offline

#2 2024-11-07 06:56:17

we-sell-bags
Member
Registered: 2020-12-31
Posts: 8

Re: Vulnerable jQuery UI Library (v1.13.0) in GLPI 10.0.16

It is NOT that simple.

Current version of jQUERY UI is V1.14
Current version of jQUERY is V3.7.1

you cannot just go into the JS and randomly update the pages,  it's a potential re-write of the JS to change such a base library as Jquery/Jquery ui
since other JS packages are tied very specifically to a given base library.  (datatables)

Jquery ui ties into Jquery

it breaks in very specific ways..... ESP. if you only have JS functions that execute behind "conditional" statements



your GLPI site should not be exposed to the public internet anyway.

go here:
github. com/jquery/jquery/releases

to see  the "breaking" changes.  ESP. going 1->2->3->4

then see for the UI version:

jqueryui. com/changelog/

Just randomly updating libraries without considering & understanding the interrelation, is asking for trouble....

Offline

#3 2024-11-08 15:50:13

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,821
Website

Re: Vulnerable jQuery UI Library (v1.13.0) in GLPI 10.0.16

we-sell-bags wrote:

your GLPI site should not be exposed to the public internet anyway.

There is nothing wrong with this as long as common sense measures are applied like any public website/web application.

For the issue with the library, if you feel like a vulnerability with it is actually exploitable through GLPI, you need to make a proper report rather than using the Forum.
https://github.com/glpi-project/glpi/security

In general, just keep your GLPI up to date and let the GLPI developers worry about dependency/library versions.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

Pages: 1

Board footer

Powered by FluxBB