Feeling Lucky
?
[#37308] - Backport JQuery UI security patch for CVE-2021-41184
- Fixed in Code Base
- 18 Mar 2022
- Medium
- Build: 3.10-dev
- # 37308
- Diff
- SniperSister:3x-jqueryui-backport
User tests: Successful: Unsuccessful:
Summary of Changes
JQuery UI versions prior to 1.13.0 have a potential XSS attack vector that can be used to execute code in the browser context. Joomla core itself does not have such an attack vector, however we can't rule out that 3rd party extensions are vulnerable, why we backport the patch to the JQuery UI version used in 3.x.
4.x is not affected as it does not ship JQuery UI.
Testing Instructions
- Open the article manager in the backend, click on the "sort by ordering" column head, wait for the page to reload.
- Open developer tools and verify that no JS-related error message is shown in the console.
Actual result BEFORE applying this Pull Request
No error, patch not being backported.
Expected result AFTER applying this Pull Request
No error, patch backported.
Documentation Changes Required
Doc block in both files has been updated to reflect the change.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | JavaScript |
| Labels |
Added:
?
|
||
zero-24
- comment
- 18 Mar 2022
Merging here. Thanks David!
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-18 10:49:06 |
| Closed_By | ⇒ | zero-24 |
As its just a comment change that is not included into the minified version we done need a change to the min file.