Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhnd20tcHY5aC1xNW03

Potential XSS in jQuery dependency in Mirador

Impact

Mirador users less than v3.0.0 (alpha-rc) versions that have an unpatched jQuery. When adopters update jQuery they will find some of Mirador functionality to be broken.

Patches

Mirador adopters should update to v3.0.0, no updates exist for v2.x releases.

Workarounds

Yes, Mirador users could fork and create their own custom build of Mirador and make the bug fixes themselves.

References

https://github.com/advisories/GHSA-gxr4-xjj5-5px2
https://github.com/advisories/GHSA-jpcq-cgw6-v4j6

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

Permalink: https://github.com/advisories/GHSA-hgwm-pv9h-q5m7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhnd20tcHY5aC1xNW03
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago


Identifiers: GHSA-hgwm-pv9h-q5m7
References: Repository: https://github.com/ProjectMirador/mirador
Blast Radius: 0.0

Affected Packages

npm:mirador
Dependent packages: 40
Dependent repositories: 138
Downloads: 15,024 last month
Affected Version Ranges: <= 2.7.2
Fixed in: 3.0.0-alpha.0
All affected versions: 0.1.2, 2.1.1, 2.1.3, 2.1.4, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2
All unaffected versions: 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.3.0