Hello everyone, we have developed a site with Umbraco 8.18.3 and several vulnerabilities have been reported to us through penetration tests.
The reports are as follows:
Web application is using End of Life AngularJS. This is determined
based on AngularJS version. Security updates for certain AngularJS
are not available due to EOL.After 31 December 2021 1.x AngularJS is
no longer being supported. The system is at high risk of being exposed to
new security vulnerabilities.
TinyMCE is a JavaScript library which provides customizable,
scalable, and flexible rich text editor. The web application is using
a JavaScript library that is known to contain at least one
vulnerability.Attackers could potentially exploit the vulnerability
in the JavaScript library. The impact of a successful exploit depends
on the nature of the vulnerability and how the web application makes
use of the library.
Moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates.
The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.
jQuery UI is a collection of GUI widgets, animated visual effects, and themes implemented with jQuery (a JavaScript library), Cascading Style Sheets, and HTML.
The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.
AngularJS is a discontinued free and open-source JavaScript-based web framework for developing single-page applications.
The web application is using a JavaScript library that is known to contain at least one vulnerability.Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.
Excuse the length, but to avoid mistakes I preferred to quote verbatim.
As you can see, they are all reported vulnerabilities on old libraries used by Umbraco's BackOffice.
Is there anything we can do to update these libraries without having to upgrade the Umbraco version to a version later than 8?
JQuery-ui: You could try just replacing the published jquery-ui file, it is in /umbraco/lib/jquery-ui folder. I doubt that replacing it would cause any major issues (but keep a copy of the old one just in case :))
Umbraco 8 - Vulnerability
Hello everyone, we have developed a site with Umbraco 8.18.3 and several vulnerabilities have been reported to us through penetration tests. The reports are as follows:
Excuse the length, but to avoid mistakes I preferred to quote verbatim. As you can see, they are all reported vulnerabilities on old libraries used by Umbraco's BackOffice. Is there anything we can do to update these libraries without having to upgrade the Umbraco version to a version later than 8?
Thank you in advance for your support.
some links to explain
TinyMce: https://github.com/umbraco/Umbraco-CMS/issues/10217#issuecomment-852400225
AngularJs: https://our.umbraco.com/forum/umbraco-9/107809-penetration-testing-with-angularjs1x
JQuery-ui: You could try just replacing the published jquery-ui file, it is in /umbraco/lib/jquery-ui folder. I doubt that replacing it would cause any major issues (but keep a copy of the old one just in case :))
is working on a reply...