- Posts: 6
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Bootstrap upgrade
- Talsaady
- Topic Author
- Offline
- New Member
regards
- jelo
- Offline
- Platinum Member
- Posts: 5070
- Thank you received: 1263
Can you provide some infos about the vulnerabilities? I recommend to open a bug report with LimeSurvey if you see a security issue running a survey with the shipped bootstrap package.Talsaady wrote: hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- Talsaady
- Topic Author
- Offline
- New Member
- Posts: 6
- Thank you received: 0
actually attached picture show our security scan result on our survey site.
regards,
- tpartner
- Offline
- LimeSurvey Community Team
- Posts: 10634
- Thank you received: 3698
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
- jelo
- Offline
- Platinum Member
- Posts: 5070
- Thank you received: 1263
github.com/LimeSurvey/LimeSurvey/blob/ma.../js/source/jquery.js or github.com/LimeSurvey/LimeSurvey/blob/ma...ibs/jquery/jquery.js
It's not always the case that such libraries can be exploited. It depends a bit on how LimeSurvey has integrated the libraries. The impact can differ a lot.
JQuery
www.cvedetails.com/cve/CVE-2019-11358/
Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases
You still should report your findings as tpartner already pointed out.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13935
- Thank you received: 2551
Unsure could be impacted (if XSS is on).jelo wrote: JQuery
www.cvedetails.com/cve/CVE-2019-11358/
But we must remove/disable the old jquery.js file …
Unsure could be impacted (if XSS is on)., less sure. XSS user can use class for tooltip, but don't know how to add XSS inside this tooltip.jelo wrote: Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases
Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- jelo
- Offline
- Platinum Member
- Posts: 5070
- Thank you received: 1263
Correct, but how will LimeSurvey dev team monitor the impact from external libs.DenisChenu wrote: Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1
The amount of external code is getting bigger and bigger.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13935
- Thank you received: 2551
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- jelo
- Offline
- Platinum Member
- Posts: 5070
- Thank you received: 1263
bugs.limesurvey.org/view.php?id=15141#c53152
The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users