Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160 in limesurvey/limesurvey

Valid

Reported on

Feb 20th 2023

Description

Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160

Proof of Concept

  1. Go to https://demo.limesurvey.org/tmp/assets/15bf41ab/jquery-ui.min.js and note that jquery-ui 1.13.1 is in use.
  2. Check https://github.com/LimeSurvey/LimeSurvey/blob/master/vendor/jquery-ui/jquery-ui.min.js and note that jquery-ui 1.13.1 is in use.
  3. Go to https://security.snyk.io/vuln/SNYK-JS-JQUERYUI-2946728 and note 1.13.1 is vulnerable to CVE-2022-31160.

Impact

This vulnerability is capable of invoking XSS upon executing the poc

Occurrences

1.13.1 version

We are processing your report and will contact the limesurvey team within 24 hours. a month ago
Joshua Chan modified the report
a month ago
Carsten Schmitz validated this vulnerability a month ago
Joshua Chan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 5.6.8 with commit 47c5aa a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 27th 2023
jquery-ui.min.js#L1 has been validated
Carsten Schmitz gave praise a month ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Joshua Chan
a month ago

Researcher

Hi Carsten,

Just to check the vulnerable library must exist in both the demo site and github repo as well? If either one is not a vulnerability?

Regards Joshua

Carsten Schmitz
a month ago

Maintainer

The demo is always updated automatically after release.

Carsten Schmitz published this vulnerability 24 days ago
to join this conversation