hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities, and I am wondering if it will work with bootstrap version 4?

regards

Talsaady wrote: hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities

Can you provide some infos about the vulnerabilities? I recommend to open a bug report with LimeSurvey if you see a security issue running a survey with the shipped bootstrap package.

Hello,
actually attached picture show our security scan result on our survey site.

regards,

Please file a bug report

Thanks for your scan. I'm afraid that there are lot more javascript libraries bundled with LimeSurvey which are outdated. A look at github show e.g.
github.com/LimeSurvey/LimeSurvey/blob/ma.../js/source/jquery.js or github.com/LimeSurvey/LimeSurvey/blob/ma...ibs/jquery/jquery.js

It's not always the case that such libraries can be exploited. It depends a bit on how LimeSurvey has integrated the libraries. The impact can differ a lot.



JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

You still should report your findings as tpartner already pointed out.

jelo wrote: JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Unsure could be impacted (if XSS is on).

But we must remove/disable the old jquery.js file …

jelo wrote: Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

Unsure could be impacted (if XSS is on)., less sure. XSS user can use class for tooltip, but don't know how to add XSS inside this tooltip.

Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

DenisChenu wrote: Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Correct, but how will LimeSurvey dev team monitor the impact from external libs.
The amount of external code is getting bigger and bigger.

github.com/LimeSurvey/LimeSurvey/tree/master/tests

But here need a test for ranking and slider

Looks like you need to provide an exploit to get an bootstrap update. Nice idea, but as a Saas provider the approach might be a bit risky.

bugs.limesurvey.org/view.php?id=15141#c53152

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.