@SimonWaters opened this issue on December 15th 2016

In testing 3.0.0-rc3 I ran a tool which uses retirejs to assess state of JavaScript included.

It noted that Angular 1.4.10 and JQuery 2.2.3 are in use, and that these both have known security issues.

I noted also it is possible to generate reports that trigger Angular expression parsing errors, so it might be possible to create a stored XSS issue via accessing constructors in Angular expressions, although I haven't demonstrate this. Migrating to a patched release of Angular may be easier than demonstrating Piwik isn't vulnerable to this (I'm still working out how I created parsing errors and will raise a ticket when I know).

I note also reports are only shown to the current owner, so this may not be usefully exploitable even if it is exploitable.

@mattab commented on December 15th 2016

Thanks for the report. In https://github.com/piwik/piwik/pull/11021 we upgrade AngularJS but there was no change to the sanitize library, so we should be safe. We'll upgrade jquery in subsequent point release

@mattab commented on February 20th 2017

We need to update all JS libraries used at some point. Would be great if you (or someone else) could help with this :+1:

This issue was closed on February 20th 2017
Powered by GitHub Issue Mirror