1 saunders Jun 08, 2020 11:01
3 amoun Jun 08, 2020 22:54
Hi You don't say how much you looked into the details of the vulnerabilities so the following may be stuff you know or don't want to know.
Here's some info on bootstrap 3.3.7
https://stackoverflow.com/questions/52388366/is-bootstrap-3-3-7-safe-and-secured-if-data-target-attribute-is-unused
and some on jquery 1.12.4
http://www.sjoerdlangkemper.nl/2017/09/27/some-libraries-evaluate-remote-javascript/
I'm running b2evo 7.1.5 and ran one of my sites through https://webpagetest.org/ but didn't get any warnings, so maybe I'm missing something. How did you use the site?
4 saunders Jun 09, 2020 11:06
@amoun You are running 7.1.5 - I am running 6.11.5 so may be your version uses a recent version of bootstrap and jquery.
I used webpagetest as is has to. Entered the link to the website, have chosen Frankfurt and Chrome and got a report. This report showed an "E" towards System Security Scoring (see screenshot below). Clicking on that "E" to get more information I got that detailed report I posted as a screenshot above.
5 fplanque Jul 23, 2020 02:19
Yes those libraries have been updated in b2evo v7.
6 saunders Jul 23, 2020 10:08
@fplanque Is it possible to update those libraries manually for 6.11.5 ?
(I changed my upgrade praxis experiencing several problems after each. The version 6.11.5 and some adtaptions work fine for me and whenever it is possible I'll keep it. But I try to fix security matters. So I would appreciate help how to update those libraries and I think many others would appreciate it, too.)
Thanks in advance, Will
7 northlight Jul 24, 2020 06:07
I saw this here:
https://github.com/b2evolution/b2evolution/compare/7.2dev
https://github.com/b2evolution/b2evolution/commit/fe59c88123e300514dc9e50624325b19220bffd6
https://github.com/b2evolution/b2evolution/commit/ef847a8625b95a5cd6466ac9922f5d876c5c4507
On the first sight - it doesn't look like drag and drop.
Here is the screenshot