jquery-ui icon indicating copy to clipboard operation
jquery-ui copied to clipboard
verified publisher icon jquery

Vulnerability Detected: CVE-2024-30875 (Cross-site Scripting - XSS)

Open goiaalexandru opened this issue 1 year ago • 11 comments

Package: [email protected] or above. Vulnerability Title: [CVE-2024-30875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability Description: A Cross-Site Scripting (XSS) vulnerability exists in [email protected], allowing a remote attacker to execute arbitrary code and potentially obtain sensitive information. This vulnerability is triggered via a crafted payload targeting the window.addEventListener component.

CVSS Score: 5.1 (Medium) CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVE: CVE-2024-30875

Extra: https://cvefeed.io/vuln/detail/CVE-2024-30875

Steps to Reproduce:

Use [email protected] or above in a web application. Send a crafted payload to exploit the window.addEventListener component. The payload is improperly neutralized, leading to XSS vulnerability. Please consider patching this vulnerability in the next release.

Thank you!

goiaalexandru avatar Oct 21 '24 14:10 goiaalexandru

Was there an issue that was fixed in 1.13.2 but not included in the release notes (https://jqueryui.com/changelog/1.13.2/)?

jasonparallel avatar Oct 21 '24 18:10 jasonparallel

I don't think there's anything to fix. The CVE proof of concept is so vague it can apply to any app, even if it doesn't use any dependencies. It boils down to "If you take user input and directly insert it into your page, bad things can happen" which is not a jquery-ui problem

d-ellis avatar Oct 22 '24 09:10 d-ellis

This CVE looks bogus, I'm in the process of disputing it.

mgol avatar Oct 25 '24 14:10 mgol

For now, I contacted Snyk and they already took it down from their database: https://security.snyk.io/package/npm/jquery-ui

mgol avatar Oct 25 '24 14:10 mgol

@mgol I was going to wait until Monday for a response from the reporter and then figure out how to dispute it, but that saves me a job

d-ellis avatar Oct 25 '24 15:10 d-ellis

I’ve submitted a CVE request to Mitre to reject this CVE, I’m waiting for a response now.

I was thinking about waiting for the response first, but the whole report looked so shady and people get bombarded by security requests now that I thought I should get the ball rolling ASAP.

mgol avatar Oct 25 '24 15:10 mgol

I submitted a request to Sonatype and they have also removed it from their database

d-ellis avatar Oct 30 '24 09:10 d-ellis

Thanks @mgol! US Gov. Information Assurance processes are claiming jQuery provided mitigation strategies (upgrading to latest jQuery UI). Have you been in touch with them or is this just (likely) a copy paste error?

riverar avatar Oct 30 '24 18:10 riverar

I've released jQuery UI 1.14.1 today. But there's nothing there to address this report as there's nothing to address, it's bogus. I have not been in touch with them.

mgol avatar Oct 30 '24 18:10 mgol

I'll handle pushing back in that channel and (hopefully) getting a correction out, thanks for confirming.

riverar avatar Oct 30 '24 18:10 riverar

It's still being reported in Veracode. Anyone been in contact with them?

mgroetan avatar Dec 02 '24 08:12 mgroetan