Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Vulnerability Detected: CVE-2024-30875 (Cross-site Scripting - XSS) #2305

Open
goiaalexandru opened this issue Oct 21, 2024 · 11 comments
Open

Comments

@goiaalexandru
Copy link

goiaalexandru commented Oct 21, 2024

Package: jquery-ui@1.13.1 or above.
Vulnerability Title: [CVE-2024-30875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerability Description:
A Cross-Site Scripting (XSS) vulnerability exists in jquery-ui@1.13.1, allowing a remote attacker to execute arbitrary code and potentially obtain sensitive information. This vulnerability is triggered via a crafted payload targeting the window.addEventListener component.

CVSS Score: 5.1 (Medium)
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVE: CVE-2024-30875

Extra: https://cvefeed.io/vuln/detail/CVE-2024-30875

Steps to Reproduce:

Use jquery-ui@1.13.1 or above in a web application.
Send a crafted payload to exploit the window.addEventListener component.
The payload is improperly neutralized, leading to XSS vulnerability.
Please consider patching this vulnerability in the next release.

Thank you!

@jasonparallel
Copy link

Was there an issue that was fixed in 1.13.2 but not included in the release notes (https://jqueryui.com/changelog/1.13.2/)?

@d-ellis
Copy link

d-ellis commented Oct 22, 2024

I don't think there's anything to fix. The CVE proof of concept is so vague it can apply to any app, even if it doesn't use any dependencies. It boils down to "If you take user input and directly insert it into your page, bad things can happen" which is not a jquery-ui problem

@mgol
Copy link
Member

mgol commented Oct 25, 2024

This CVE looks bogus, I'm in the process of disputing it.

@mgol
Copy link
Member

mgol commented Oct 25, 2024

For now, I contacted Snyk and they already took it down from their database: https://security.snyk.io/package/npm/jquery-ui

@d-ellis
Copy link

d-ellis commented Oct 25, 2024

@mgol I was going to wait until Monday for a response from the reporter and then figure out how to dispute it, but that saves me a job

@mgol
Copy link
Member

mgol commented Oct 25, 2024

I’ve submitted a CVE request to Mitre to reject this CVE, I’m waiting for a response now.

I was thinking about waiting for the response first, but the whole report looked so shady and people get bombarded by security requests now that I thought I should get the ball rolling ASAP.

@d-ellis
Copy link

d-ellis commented Oct 30, 2024

I submitted a request to Sonatype and they have also removed it from their database

@riverar
Copy link

riverar commented Oct 30, 2024

Thanks @mgol! US Gov. Information Assurance processes are claiming jQuery provided mitigation strategies (upgrading to latest jQuery UI). Have you been in touch with them or is this just (likely) a copy paste error?

@mgol
Copy link
Member

mgol commented Oct 30, 2024

I've released jQuery UI 1.14.1 today. But there's nothing there to address this report as there's nothing to address, it's bogus. I have not been in touch with them.

@riverar
Copy link

riverar commented Oct 30, 2024

I'll handle pushing back in that channel and (hopefully) getting a correction out, thanks for confirming.

@mgroetan
Copy link

mgroetan commented Dec 2, 2024

It's still being reported in Veracode. Anyone been in contact with them?

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Development

No branches or pull requests

6 participants