upgrading jquery to 3.5.1 on concrete5 8.5.5

Permalink
hi All,
I need to update Jquery from 3.3.2-1 to 3.5.1 this is on Concrete5 8.5.5

What are the risks on doing this?
Any guidance on the steps to do it?

Thanks

Martyn

FaganSystems
View Replies:
stewblack23 replied on at Permalink Reply
stewblack23
Hey FaganSystems

Why do you need to update the core jquery in concrete5?
FaganSystems replied on at Permalink Reply
FaganSystems
A fair question, A website which I built for a client running 8.5.5 is failing on a Pen Testing the for the version of JQuery installed and require it to be 3.5 or later, the Pen test report says JQuery 1.2 < 3.5.0 Multiple XSS. So the client needs the version to be ungraded.

Any experience at this?
I have dropped the latest version into a test version which seems to be working ok, just wanted to be sure there aren't any hidden issues.

Thanks
Martyn
JohntheFish replied on at Permalink Reply
JohntheFish
Is the penetration test failure real or hypothetical?
ie)
hypothetical - the version of jquery has a theoretical security weakness, which is not acceptable, even if the functionality with the weakness is never called.

real - security has been breached by a penetration test.
FaganSystems replied on at Permalink Reply
FaganSystems
This is related to an actual Pen test failure/issue

From the Pen testing company
Description
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities. Note, the vulnerabilities referenced in this test have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.

The client requires this to be resolved hence the question.
JohntheFish replied on at Permalink Reply
JohntheFish
So have Franz & Andrew need been notified of a security risk to concrete5 generally?
FaganSystems replied on at Permalink Reply
FaganSystems
Not yet but I will now, my primary focus was on trying to resolve the issue to my clients satisfaction, and until the change is approved and completed then retested by the outside Pen Testers. But I will advise them of the issue.
Is there a preferred group to do this through?

Thanks
Martyn
JohntheFish replied on at Permalink Reply
JohntheFish
Most direct attention is the popup chat form. They also have a hacker1 presence.

If there is a security issue that affects all sites, they usually get a new version out quick, or at least a patch on github. Which may in turn be the fastest solution to your original question.