Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • CampanaP 4 posts 54 karma points
    Apr 18, 2023 @ 15:40
    CampanaP
    0

    Umbraco 8 - Vulnerability

    Hello everyone, we have developed a site with Umbraco 8.18.3 and several vulnerabilities have been reported to us through penetration tests. The reports are as follows:

    • Web application is using End of Life AngularJS. This is determined based on AngularJS version. Security updates for certain AngularJS are not available due to EOL.After 31 December 2021 1.x AngularJS is no longer being supported. The system is at high risk of being exposed to new security vulnerabilities.
    • TinyMCE is a JavaScript library which provides customizable, scalable, and flexible rich text editor. The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.
    • Moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.
    • jQuery UI is a collection of GUI widgets, animated visual effects, and themes implemented with jQuery (a JavaScript library), Cascading Style Sheets, and HTML. The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.
    • AngularJS is a discontinued free and open-source JavaScript-based web framework for developing single-page applications. The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.

    Excuse the length, but to avoid mistakes I preferred to quote verbatim. As you can see, they are all reported vulnerabilities on old libraries used by Umbraco's BackOffice. Is there anything we can do to update these libraries without having to upgrade the Umbraco version to a version later than 8?

    Thank you in advance for your support.

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Apr 19, 2023 @ 08:01
    Huw Reddick
    100

    some links to explain

    TinyMce: https://github.com/umbraco/Umbraco-CMS/issues/10217#issuecomment-852400225

    AngularJs: https://our.umbraco.com/forum/umbraco-9/107809-penetration-testing-with-angularjs1x

    JQuery-ui: You could try just replacing the published jquery-ui file, it is in /umbraco/lib/jquery-ui folder. I doubt that replacing it would cause any major issues (but keep a copy of the old one just in case :))

Please Sign in or register to post replies

Write your reply to:

Draft