Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66186

jQuery 3.2.x minor security vuln - update to 3.4.x or patch 3.2.x

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.5.7, 3.6.5, 3.7.1
    • Fix Version/s: None
    • Component/s: JavaScript, Libraries
    • Labels:
      None
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE

      Description

      There is a minor and relatively hard-to-exploit security vulnerability in jQuery 3.2.x that ships with currently security-supported versions of Moodle e.g. 3.5.x.

      More information on the vulnerability patched in jQuery 3.4.0:

      Two options I see that would fix this:

      1. Update to jQuery 3.4.x and backport the other fixes from MDL-65751; or
      2. Patch the jQuery 3.2.x version as mentioned on the jQuery release page
        https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
        The latter looks pretty easy - a one-line patch.

      Ref MDL-65751

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mwebster Mark van Hoek
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: