Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sam M 5 posts 85 karma points
    May 11, 2018 @ 19:08
    Sam M
    0

    Use of JavaScript Library with Known Vulnerability

    Hi,

    We provisioned an Umbraco project to a client who did a security scan for the web application. The tool they used complained about the use of JavaScript library with known vulnerability (angular 1.1.5 and bootstrap 3.3.5) that Umbraco uses.

    Is there any efforts to use a stable, more secure libraries with the upcoming releases?

    Have Umbraco developers applied any patches to current libraries that Umbraco currently uses?

    Best Regards,

    Sam

    Copy Link
  • Dan Diplo 1554 posts 6205 karma points MVP 6x c-trib
    May 12, 2018 @ 14:26
    Dan Diplo
    100

    I can't answer for the core team, but bear in mind that the Umbraco backend exists behind a password-protected area, so it's not publicly accessible. So this considerably limits the exposure.

    The issue with upgrading is not breaking existing functionality - there are a lot of plugins that use Angular and may risk issues if upgraded. Likewise, latest versions of Bootstrap aren't backwards compatible. It's a huge amount of work to upgrade.

    But there are issues around these that are logged:

    http://issues.umbraco.org/issue/U4-5576

    Copy Link
  • Sam M 5 posts 85 karma points
    May 18, 2018 @ 13:33
    Sam M
    0

    Thank you Dan, I think your comment makes sense.

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft