I used Acunetix to scan my newly installed OJS 3.4.0-4 version website for vulnerabilities

Describe the issue or problem
I used Acunetix to scan my newly installed OJS 3.4.0-4 version website for vulnerabilities.Then the following weaknesses appear, how to solve them?

  1. Chart.js Improper Input Validation Vulnerability
    This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
  2. jQuery Validation Other Vulnerability
    The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch.
  3. jQuery Validation Other Vulnerability
    An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method
  4. jQuery UI Dialog Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Vulnerability
    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.
  5. Vulnerable JavaScript libraries
    You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.
  6. Active Mixed Content over HTTPS
    Active Content is a resource which can run in the context of your page and moreover can alter the entire page. If the HTTPS page includes active content like scripts or stylesheets retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.

Steps I took leading up to the issue

What application are you using?
OJS 3.4.0-4

Additional information

Hi @yen,

See my response to your earlier post. Long story short, these libraries do not always present a usable attack surface, and in those cases we may not rush to update them. We don’t believe that OJS 3.4.0-4 presents a risk with the issues above due to the way we use those libraries/resources.

Alec Smecher
Public Knowledge Project Team

This topic was automatically closed after 13 days. New replies are no longer allowed.