Hi,
According to the NIST link below, there is a security flaw affecting jQuery versions below 3.0.0. The security flaw, from how I understand, has to do with a missing dataType option in AJAX requests, resulting in a XSS vulnerability. I noticed that in my version of nopCommerce 3.9 all jQuery versions installed are 1.10.x. I also noticed that this is true for 4.0 as well. Are there any plans on upgrading jQuery for nop?
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Upgrading jQuery from 1.10 to latest [CVE-2015-9251]
nopCommerce team
- 16618
- 155935
- 22.10.2008
- Armenia
Thanks! We have this work item - https://github.com/nopSolutions/nopCommerce/issues/2637
- 174
- 1361
- 14.04.2011
- Ukraine
Hi, can I just update all third party libraries in the current version of nopcommerce, like 4.0. or the earlier versions ?
Is it done just by changing the jquery.min.js file (and the corresponding others) ?
Is there a reason (beyond why-fix-it-if-it-is-not-broken) that 4.0 uses for example jQuery 1.10, it is a more than 5 years old package, the current version is 3.3 ? Are there some incompabilities if I change it to the current ?
Is it done just by changing the jquery.min.js file (and the corresponding others) ?
Is there a reason (beyond why-fix-it-if-it-is-not-broken) that 4.0 uses for example jQuery 1.10, it is a more than 5 years old package, the current version is 3.3 ? Are there some incompabilities if I change it to the current ?