Hi, as part of our project requirements, we need to run the owasp dependency check and resolve all findings. The check returned 3 medium vulnerabilities on bootstrap and jquery.
The result is probably on MEDIUM because we're not using the latest versions of Bootstrap and jQuery, but I assure you that they are safe.
Our developers will update them in the future, but since the plugin heavily relies on both, it has to go through a lot of testing before it is included in the live version of the plugin, so I can't say when this will be updated.
I'm sharing the generated OWASP dependency check report (is a html file, renamed to txt). Would you be able to advised how these 11 medium findings are mitigated in wp-datatables (e.g. the functionality is not used, hence its a false positive)?
I need to get the findings mitigated before I am able to go live with this plugin.
This is something I can't do without our lead developer, and he'll be out of the office until Monday. Would it be OK for you to wait for him to get back?
Files from the lib folder are not being executed, but that's coming from the library we're using for other functionalities of the plugin. Ones that are not from lib - the data attributes for dynamic sending or showing data - are not being used.
We will update the plugin to the fixed version of Boostrap, and after it goes through proper testing it will be included in one of our next updates.
2. For \wpdatatables\assets\js\bootstrap\noconf.bootstrap.min.js the 4 data attributes below are not being used by the wpDataTables for any purpose and can also be ignored.
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
That's right, Alvin, it's a false alarm, so to speak.
There is a security vulnerability regarding Bootstrap 3.3.7. It says that “Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.
The so-called vulnerability only occurs if the data-target value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.
Hi, as part of our project requirements, we need to run the owasp dependency check and resolve all findings. The check returned 3 medium vulnerabilities on bootstrap and jquery.
is it possible to upgrade these dependencies?
Hello Alvin
The result is probably on MEDIUM because we're not using the latest versions of Bootstrap and jQuery, but I assure you that they are safe.
Our developers will update them in the future, but since the plugin heavily relies on both, it has to go through a lot of testing before it is included in the live version of the plugin, so I can't say when this will be updated.
Kind Regards,
Aleksandar Vuković
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Hi Aleksandar,
I'm sharing the generated OWASP dependency check report (is a html file, renamed to txt). Would you be able to advised how these 11 medium findings are mitigated in wp-datatables (e.g. the functionality is not used, hence its a false positive)?
I need to get the findings mitigated before I am able to go live with this plugin.
Thanks!
Hello again Alvin
This is something I can't do without our lead developer, and he'll be out of the office until Monday. Would it be OK for you to wait for him to get back?
Kind Regards,
Aleksandar Vuković
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Hi Aleksandar,
Sorry for the delay in response. Yes, would you be able to provide the information to us by today?
Hi again, Alvin
Our developer got back today, so I sent him the ticket. As soon as I hear from him, I will let you know.
Kind Regards,
Aleksandar Vuković
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Hi again Alvin
Files from the lib folder are not being executed, but that's coming from the library we're using for other functionalities of the plugin. Ones that are not from lib - the data attributes for dynamic sending or showing data - are not being used.
We will update the plugin to the fixed version of Boostrap, and after it goes through proper testing it will be included in one of our next updates.
Kind Regards,
Aleksandar Vuković
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Hi Aleksandar,
Thanks for the reply. Just to confirm my understanding:
1. The below 2 files are sample data from the phpoffice library and are not being used by wpDataTables and hence can be safely ignored
\wpdatatables\lib\phpoffice\phpspreadsheet\samples\bootstrap\js\bootstrap.min.js
\wpdatatables\lib\phpoffice\phpspreadsheet\samples\bootstrap\js\jquery.min.js
2. For \wpdatatables\assets\js\bootstrap\noconf.bootstrap.min.js the 4 data attributes below are not being used by the wpDataTables for any purpose and can also be ignored.
That's right, Alvin, it's a false alarm, so to speak.
There is a security vulnerability regarding Bootstrap 3.3.7. It says that “Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.
The so-called vulnerability only occurs if the data-target value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.
Kind Regards,
Aleksandar Vuković
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables