upgrading jquery to 3.5.1 on concrete5 8.5.5
Permalink
hi All,
I need to update Jquery from 3.3.2-1 to 3.5.1 this is on Concrete5 8.5.5
What are the risks on doing this?
Any guidance on the steps to do it?
Thanks
Martyn
I need to update Jquery from 3.3.2-1 to 3.5.1 this is on Concrete5 8.5.5
What are the risks on doing this?
Any guidance on the steps to do it?
Thanks
Martyn
A fair question, A website which I built for a client running 8.5.5 is failing on a Pen Testing the for the version of JQuery installed and require it to be 3.5 or later, the Pen test report says JQuery 1.2 < 3.5.0 Multiple XSS. So the client needs the version to be ungraded.
Any experience at this?
I have dropped the latest version into a test version which seems to be working ok, just wanted to be sure there aren't any hidden issues.
Thanks
Martyn
Any experience at this?
I have dropped the latest version into a test version which seems to be working ok, just wanted to be sure there aren't any hidden issues.
Thanks
Martyn
Is the penetration test failure real or hypothetical?
ie)
hypothetical - the version of jquery has a theoretical security weakness, which is not acceptable, even if the functionality with the weakness is never called.
real - security has been breached by a penetration test.
ie)
hypothetical - the version of jquery has a theoretical security weakness, which is not acceptable, even if the functionality with the weakness is never called.
real - security has been breached by a penetration test.
This is related to an actual Pen test failure/issue
From the Pen testing company
Description
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities. Note, the vulnerabilities referenced in this test have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.
The client requires this to be resolved hence the question.
From the Pen testing company
Description
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities. Note, the vulnerabilities referenced in this test have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.
The client requires this to be resolved hence the question.
So have Franz & Andrew need been notified of a security risk to concrete5 generally?
Not yet but I will now, my primary focus was on trying to resolve the issue to my clients satisfaction, and until the change is approved and completed then retested by the outside Pen Testers. But I will advise them of the issue.
Is there a preferred group to do this through?
Thanks
Martyn
Is there a preferred group to do this through?
Thanks
Martyn
Most direct attention is the popup chat form. They also have a hacker1 presence.
If there is a security issue that affects all sites, they usually get a new version out quick, or at least a patch on github. Which may in turn be the fastest solution to your original question.
If there is a security issue that affects all sites, they usually get a new version out quick, or at least a patch on github. Which may in turn be the fastest solution to your original question.
Why do you need to update the core jquery in concrete5?