Armfns001
(Armedia01)
August 3, 2022, 2:05pm
1
We have installed the latest Matamo version v4.10.x. The security vulnerabilities have identified bugs n jQuery packages thats bundled within the Matamo software. The vulnerabilities remediation is to upgrade the Jquery from v2.2.4 to the latest version 3.6.
Please let us know the plan for Matamo to include the latest Jquery package.
Also is there a patch that can be executed to upgrade Jquery?
1 Like
Lukas
(Lukas Winkler)
August 3, 2022, 2:12pm
2
Hi,
See
opened 01:11PM - 12 May 21 UTC
Potential Bug
'npm audit' outputs warnings if you are running versions of node modules with kn… own security problems. These are not necessarily exploitable in the context of Matomo but its still nice to tidy them up.
On current 4.x-dev I get the following.
```
# npm audit report
jquery <=3.4.1
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1518
Cross-Site Scripting (XSS) - https://npmjs.com/advisories/328
Prototype Pollution - https://npmjs.com/advisories/796
fix available via `npm audit fix --force`
Will install jquery@3.6.0, which is a breaking change
node_modules/jquery
materialize-css *
Severity: moderate
Cross-Site Scripting - https://npmjs.com/advisories/817
No fix available
node_modules/materialize-css
2 vulnerabilities (1 moderate, 1 high)
```
## Expected Behavior
'npm audit' should give Matomo a clean bill of health.
## Current Behavior
Warnings about problem dependencies are listed.
## Possible Solution
1) Upgrade jquery to >= 3.6.0 from 2.2.4
2) materialize-css needs to fix this open issue however a fix has been slow to appear https://github.com/Dogfalo/materialize/issues/6286. Failing that it may be worth seeing if another module can replace it. Or we can just ignore the warning about materialize-css but that doesn't feel great.
As an aside, it appears that the contents of node_modules is in source control in the Matomo repo. Is that just to be absolutely certain of what version of the dependencies are in use?
and
opened 10:32AM - 25 Feb 21 UTC
closed 01:54AM - 19 Mar 21 UTC
Enhancement
answered
not-in-changelog
## Summary
jQuery version 2.2.4 has an XSS vulnerability.
_In jQuery version… s greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0._
See [CVE-2020-11022](https://nvd.nist.gov/vuln/detail/CVE-2020-11022) for details.
## Your Environment
* Matomo Version: 4.1.1
* PHP Version: 7.4.7
* Server Operating System: Amazon Linux
* Additionally installed plugins: none
for more information on that
1 Like