Hello Everyone,
can anyone suggest me how to upgrade bootstrap version in moodle 3.8.
Not easily... why would you want to?
During the security testing it was observed that Vulnerable 3rd Party libraries/platforms used in moodle site. Attacker can use this framework vulnerability to perform XSS on the application and do malicious activities.
So security team recommended to Upgrade jQuery and Bootstrap version to latest stable version.
I am able to manage the upgrading of jQuery. but not getting any documentation for upgrading the bootstrap.
So I have sent the reply back to security team that it is not possible to upgrade bootstrap as it can affect the whole site functionality and can create conflicts.
But they want some valid document which can explain why it is not possible to do that.
So I am not sure whether we can able to achieve that or not.
So security team recommended to Upgrade jQuery and Bootstrap version to latest stable version.
I am able to manage the upgrading of jQuery. but not getting any documentation for upgrading the bootstrap.
So I have sent the reply back to security team that it is not possible to upgrade bootstrap as it can affect the whole site functionality and can create conflicts.
But they want some valid document which can explain why it is not possible to do that.
So I am not sure whether we can able to achieve that or not.
This sounds like a bad idea. I cannot see any vulnerabilities in jQuery 3.4.1 listed in the CVE database so I suggest the security team are wrong to recommend upgrading this. You should restore jQuery to the original version.
Moodle is maintained as a single system with weekly updates and security fixes (e.g. in Moodle 3.8.7). If you become aware of a vulnerability that can be exploited then you should open a security issue in the Tracker and it will be investigated.
If you modify core source code then you have a site which behaves differently to all others. This will complicate support issues and it adds an extra step when applying the updates needed to install security fixes from Moodle.
Thank you for your response.
You know Bootstrap is a CSS framework? I cannot imagine how it could be vulnerable to a XSS attack.
You're not supposed to upgrade these libraries. Most of these so-called vulnerabilities are spurious. However, if you are concerned about Moodle security (and you probably should be) you should be running the latest release (3.10). Moodle is tested extensively with the library versions included. The chances of you upgrading these libraries and it still working properly is remote.
If you think you have a genuine security concern then this should be logged in tracker.moodle.org.
You're not supposed to upgrade these libraries. Most of these so-called vulnerabilities are spurious. However, if you are concerned about Moodle security (and you probably should be) you should be running the latest release (3.10). Moodle is tested extensively with the library versions included. The chances of you upgrading these libraries and it still working properly is remote.
If you think you have a genuine security concern then this should be logged in tracker.moodle.org.
Thank you for your response.