Outdated jQuery version (3.3.1) in Autopilot Manager package #30
Description
Dear Olivier,
Thank you for your contribution to the IT community. We have been using the Autopilot Manager solution for a long time and it has been very helpful!
Our security team reported that the package includes jQuery 3.3.1, which has known vulnerabilities. The affected file is:
https://ourwebsite/lib/jquery/dist/jquery.min.js
Since this solution is configured to update automatically from your repository by design, the fix needs to be applied on your side.
Vulnerability details
The version currently bundled (jQuery 3.3.1) includes multiple known security issues:
CVE-2020-11022 (Cross-Site Scripting in .html() / .append() methods)
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11022
CVE-2020-11023 (Cross-Site Scripting in elements)
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11023
CVE-2019-11358 (Prototype Pollution vulnerability)
Proof-of-Concept: https://www.exploit-db.com/exploits/52141
General jQuery security advisories:
GitHub Advisories: https://github.com/jquery/jquery/security/advisories
Snyk Security report for jQuery 3.3.1: https://security.snyk.io/package/npm/jquery/3.3.1
According to Snyk, the latest safe version is jQuery 3.7.1:
https://security.snyk.io/package/npm/jquery
Request
Could you please confirm if updating to the latest stable version (currently 3.7.1) is planned as part of an upcoming release? Since the package is pulled directly from your repository, we cannot resolve this issue on our side without the update being applied upstream.
Contact
If you need any information/collaboration, you are more than welcome to contact me here on GitHub or email maxim.ogoreltsev@jti.com.
Thank you very much in advance for your support.