jQuery Vulnerability in latest Matamo

Armfns001 · August 3, 2022, 2:05pm

We have installed the latest Matamo version v4.10.x. The security vulnerabilities have identified bugs n jQuery packages thats bundled within the Matamo software. The vulnerabilities remediation is to upgrade the Jquery from v2.2.4 to the latest version 3.6.

Please let us know the plan for Matamo to include the latest Jquery package.

Also is there a patch that can be executed to upgrade Jquery?

Lukas · August 3, 2022, 2:12pm

Hi,

See

github.com/matomo-org/matomo

'npm audit' reports problems with some node dependencies

opened 01:11PM - 12 May 21 UTC

andyjdavis

Potential Bug

'npm audit' outputs warnings if you are running versions of node modules with kn…own security problems. These are not necessarily exploitable in the context of Matomo but its still nice to tidy them up. On current 4.x-dev I get the following. ``` # npm audit report jquery <=3.4.1 Severity: high Cross-Site Scripting - https://npmjs.com/advisories/1518 Cross-Site Scripting (XSS) - https://npmjs.com/advisories/328 Prototype Pollution - https://npmjs.com/advisories/796 fix available via `npm audit fix --force` Will install jquery@3.6.0, which is a breaking change node_modules/jquery materialize-css * Severity: moderate Cross-Site Scripting - https://npmjs.com/advisories/817 No fix available node_modules/materialize-css 2 vulnerabilities (1 moderate, 1 high) ``` ## Expected Behavior 'npm audit' should give Matomo a clean bill of health. ## Current Behavior Warnings about problem dependencies are listed. ## Possible Solution 1) Upgrade jquery to >= 3.6.0 from 2.2.4 2) materialize-css needs to fix this open issue however a fix has been slow to appear https://github.com/Dogfalo/materialize/issues/6286. Failing that it may be worth seeing if another module can replace it. Or we can just ignore the warning about materialize-css but that doesn't feel great. As an aside, it appears that the contents of node_modules is in source control in the Matomo repo. Is that just to be absolutely certain of what version of the dependencies are in use?

and

github.com/matomo-org/matomo

Upgrade to jQuery version 3.5.0 or above

opened 10:32AM - 25 Feb 21 UTC

closed 01:54AM - 19 Mar 21 UTC

ghost

Enhancement answered not-in-changelog

## Summary jQuery version 2.2.4 has an XSS vulnerability. _In jQuery version…s greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0._ See [CVE-2020-11022](https://nvd.nist.gov/vuln/detail/CVE-2020-11022) for details. ## Your Environment * Matomo Version: 4.1.1 * PHP Version: 7.4.7 * Server Operating System: Amazon Linux * Additionally installed plugins: none

for more information on that