Vulnerable JQuery 1.7.2

[kravietz]

As reported by Retire.js, flower incorporates a very old JQuery version that has known vulnerabilities. I would recommend upgrading to jquery-1.12.4.min.js which is the latest in 1.x line.

jquery 1.7.2 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

[ghost]

+1

[kfortner]

Is there a plan to update the version of JQuery?

[kckrithika]

I also want this fix. Any plan?

[mmdanziger]

This is raising flags for me with IT. Any word on a fix?

[johanvergeer]

I have picked this up in #1078

[mmdanziger]

@johanvergeer is there a fork with the progress so far? happy to contribute if i can

[johanvergeer]

@mmdanziger Thanks for reaching out. I haven't pushed anything yet because it is still a work in progress (a.k.a. a mess 😄 )

I will let you know when I think it is far enough to push so you can jump in.

We can also have a call if you like so we might share some thoughts.

[huazaizai0322]

I also want this fix. Any plan?

[mher]

Fixed by https://github.com/mher/flower/pull/1280