#29029 closed Bug (wontfix)
Django 1.8.18 admin uses jquery version with security issues
| Reported by: | Michael Clagett | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.8 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
Jquery 1.11.2 has known security issues.: https://github.com/jquery/jquery/issues/2432
Change History (3)
comment:1 by , 7 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 7 years ago
The XSS vulnerability is present in all jQuery versions prior to 3.x. If I'm reading Django's git logs correctly, master contains jQuery 3.x but no version of Django with jQuery 3.x has been released yet. So all released versions are at risk.
Even if Django's own code does not make use of the vulnerable functions, it remains that:
- Developers basing their sites on Django and customizing their admin interface use the jQuery shipped with Django.
- 3rd party libraries that augment the admin interface also use the jQuery that is shipped with Django.
comment:3 by , 7 years ago
Correct, and doing a major jQuery version upgrade on the stable releases is too risky, I think.
Note:
See TracTickets
for help on using tickets.
As far as I saw, the admin doesn't use any of the features of jQuery which are vulnerable. If you found differently, please contact security@….