There are several vulnerabilites found with far outdated versions of jquery!
This currently means for us: Stop all the work on the project right now and get it fixed! And if we’re not able to get it fixed they’re stopping the project.
I think I don’t need to mention, what this means for us!
We’re not talking about zero day stuff, no these things are dated back to 2019 and 2020!! Five years!
I can’t remember, how often I mentioned, that these old libs will hit Preside one day. And the day - at least for us - is now! And I don’t understand, that you can sell your products like RM whitout anyone having concerns about that.
The argument “it’s behind a login” doesn’t work here, since it’s a pure admin app. So we can’t go and hide the admin behind additional security layers.
Please, how can this issue be solved! I would love to just switch to a news version of jquery, but since this is a special jquery version for Preside, I think I have no chance of my own. Right?
What can I do to calm down my customer(s)?!
Are there any security updates on preside? I haven’t seen any.
I really kindly ask you, to keep your libs updated. This is getting more and more serious as time flies!
The line of “vulnerable code not used” has worked thus far for us. Just because a vulnerability is flagged in a pen test is not the same as finding a vulnerability.
That said, I’d love to get it resolved if we can - its just we have had no major impetus for doing a lot of work that will have little to no impact on us to date.
Are you using the alt admin theme? I think that would be a good place to start with trying to replace at least jquery. I think the biggest blocker would be if the version of bootstrap we’re using does not work with the later jquery versions. If that is the case, upgrading bootstrap is really like a full rewrite and that is no small ask given all the extensions, etc. that are written to the framework.
Alternatives we could look at would be forks of those projects that have addressed the vulnerabilities if they exist. We could even fork our own and rename them while patching the vulnerabilities (disabling the vulnerable features).
Have you looked into upgrading jquery and seeing what happens? (in a project override)
Sounds to me like: “Hey, there’s a way to get admin rights if you do this and that, but we’re not doing this, so it’s safe.”
Come on!
The customer is getting a report from his IT team with vulnaribilites. End of the story!
He doesn’t care if you use this code or not. He has a report rubbing into my face! And again: We’re not talking about issues which came up last week. 2019!!
Yes we are. I see a jQuery 1.10 and 2.0 in the preside core. Both from 2013(!!). Bootstrap 3.0 is so old, I can’t even download the version in the bootstrap archive (also from 2013).
Oh hell, yes it is! And do you know why? Because the thing was ignored for meanwhile 12 years!
A customer has an Angular project in Version 12. Bringing it to the current v19 is also basically a complete rewrite. And why? Because the programmer did not update it from version to version in small step, now it’s a bunch of work.
Dom, how often did I mentioned these outdated libs? The one thing that happened was an update to fontawesome.
Especially the new versions of bootstrap are soo good and make the design process soo easy. I don’t know, why this isn’t updated also for pixl8 internally? Do you let your design team really code with bootstrap 3 and let them do hacks to get stuff done?
Well, this is what we have to today. There’s no time for us to loose, we need to work on the project. But we can only work on it again once we have solved this problem.
It hasn’t been done because it hasn’t been a priority among the million other things. We’d love for it to happen, of course and I regret that it hasn’t happened sooner.
This looks promising as an immediate solution to security compliance:
At a glance the 2.2 version has those CVEs addressed. This could be a great immediate solution while we work on an alternative admin theming approach.
Update on this, changes in both core Preside + alt admin theme have been made to make use of the security patched version of jQuery (which is a 2.0 → 2.2 upgrade) and to ditch support for IE and therefore remove jQuery 1.
These are currently in testing but initial tests look promising.
This has now been hotfixed and patched back to 10.18. The alt admin theme has also been hotfixed and patched back to 1.0. So latest version of each of those for your project will use patched jquery 2.2 + ditch support for IE and so no jQuery v1.
