Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refinerycms-core depends on a version of jquery-ui-rails with XSS vulnerabilities #3534

Open
n7st opened this issue Feb 5, 2024 · 1 comment
Open

refinerycms-core depends on a version of jquery-ui-rails with XSS vulnerabilities #3534

n7st opened this issue Feb 5, 2024 · 1 comment

Comments

@n7st
Copy link
Contributor

n7st commented Feb 5, 2024
edited
Loading

I'm seeing several dependabot security alerts due to jquery-ui-rails version 6's dependency on jQuery UI v1.12 (e.g. GHSA-gpqq-952q-5327).

These can be fixed by upgrading jquery-ui-rails to v7.0.0.

There's a slight issue with upgrading in that presently, the jquery-ui-rails gem hasn't got any maintainers who can push it to rubygems.

I believe this can be achieved (at least temporarily) using the GitHub repository's v7.0.0 tag.
@n7st
Copy link
Contributor Author

n7st commented Apr 18, 2024

jquery-ui-rails has a new maintainer who's released version 7.0.0 with the XSS fixes, but it looks like refinerycms-core is locked to version 6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@n7st