Describe the issue or problem
I used Acunetix to scan my newly installed OJS 3.4.0-4 version website for vulnerabilities.Then the following weaknesses appear, how to solve them?
- Chart.js Improper Input Validation Vulnerability
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution. - jQuery Validation Other Vulnerability
The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch. - jQuery Validation Other Vulnerability
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method - jQuery UI Dialog Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Vulnerability
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various*Text
options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various*Text
options are now always treated as pure text, not HTML. A workaround is to not accept the value of the*Text
options from untrusted sources. - Vulnerable JavaScript libraries
You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported. - Active Mixed Content over HTTPS
Active Content is a resource which can run in the context of your page and moreover can alter the entire page. If the HTTPS page includes active content like scripts or stylesheets retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.
Steps I took leading up to the issue
N/A
What application are you using?
OJS 3.4.0-4
Additional information
N/A