- Issue created by @mcdruid
Automatically closed - issue fixed for 2 weeks with no activity.
Drupal 7 core ships with an old version of jQuery and few related libraries.
Security scanning tools will flag D7 sites as vulnerable to a handful of CVEs relating to these old versions.
Most of the CVEs have been mitigated in Drupal 7 core, for example:
There are some jQuery related CVEs not included in this list, which the Drupal core maintainers and Drupal Security Team believe are not valid vulnerabilities in the context of D7 - for example CVE-2014-6071.
If you are concerned about a jQuery related vulnerability affecting your Drupal 7 site, the recommended solution is to use the jQuery Update module to utilise a recent release of jQuery (and/or related libraries) where the vulnerability has been addressed upstream.
The jQuery Update module manages the following libraries, and allows them to be updated to any version available:
For more details see the project page at: https://www.drupal.org/project/jquery_update →
Active
7.0 ⚰️
documentation
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Automatically closed - issue fixed for 2 weeks with no activity.