You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
we continiously scan all our Products and Packages which we use in our Production Environment.
Afterwards we decide if a found CVE is vaiable or not. We have Matomo Version 4.10.1 in use and our Scanning Tool of Choice (Sonartype NexusIQ) found the following Vulnerability:
The jquery-ui package is vulnerable to Cross-Site Scripting (XSS) attacks. In cases where the checkboxradio widget is initialized within a label element, the _getCreateOptions() function in checkboxradio.js will erroneously decode any encoded HTML elements within the label when the .checkboxradio( "refresh" ) function is invoked.
The application is vulnerable by using this component if users are able to manipulate the contents of label elements that also contain a checkboxradio widget.
So, I have to kind of evaluate, if this CVE is viable or not. Actually, I would say it´s not, cause Matomo doesn´t use the described functions or „label elements that contain a checkboxradio widget“.
Please let me know if I´m wrong. 😉
Any Plans of Updating jQuery UI in future Releases?
We may fully remove jQuery UI as part of #16033
Besides that we are not aware of any CVE reported for jQuery UI that really affects Matomo.
As we are not using many parts of jQuery UI anymore, most reports affect parts we don't use at all - like this one.