What is the JQuery version of moodle 3.8? Also regarding the YUI, I want to know how can I disable that in 3.8?
jquery 3.4.1
I don't think you can 'disable' YUI as there are still some parts that use it. It shouldn't matter. What are you trying to do?
I don't think you can 'disable' YUI as there are still some parts that use it. It shouldn't matter. What are you trying to do?
How can I check that?
I am looking for this CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://github.com/advisories/GHSA-gxr4-xjj5-5px2
I am looking for this CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://github.com/advisories/GHSA-gxr4-xjj5-5px2
Ok - I'm moving this to the security and privacy forum. I have no idea if Moodle is affected by CVE-2020-11022 and/or if it has been considered.
I see this workaround for that.
https://github.com/advisories/GHSA-gxr4-xjj5-5px2
However, I don't know where should I apply that snippet.
Is there a possibility that the latest jQuery version will be integrated into moodle in one of the next patches? Or isn't moodle affected by this vulnerability in jQuery 3.4.1 at all?
Hi Thomas,
I can confirm there is already an issue logged in Tracker to upgrade jQuery to 3.5.1. Please be aware that that as per our Security Procedures, the best thing to do if you suspect Moodle or any of its third party libraries have a potential security issue, is to raise a security issue in Tracker or send us an email (rather than posting in a public forum).
I can confirm there is already an issue logged in Tracker to upgrade jQuery to 3.5.1. Please be aware that that as per our Security Procedures, the best thing to do if you suspect Moodle or any of its third party libraries have a potential security issue, is to raise a security issue in Tracker or send us an email (rather than posting in a public forum).
Thanks.
Hi Michael,
I cannot find the issue to upgrade jQuery to 3.5.1 in Tracker. Is there are special place for security tickets?
Hi Franziska,
In line with our responsible disclosure policy, access to security issues is restricted, so details are not publicly available until they are announced after a patch is released.
In line with our responsible disclosure policy, access to security issues is restricted, so details are not publicly available until they are announced after a patch is released.
Is there any update on this issue?
Hi Berengar,
I am currently working on upgrading of jQuery. Will submit issue for review soon
Ilya
I am currently working on upgrading of jQuery. Will submit issue for review soon
Ilya