0
Z odpowiedzią

HandlebarsJS and Underscore.js

Hakase Hayashida 8 miesięcy temu zaktualizowano 8 miesięcy temu 4

Hello,

We recently started using BibBase for embedding our publication list on our website, but the IT support in our department noted a vulnerability issue related to this implementation. Specifically, we identified that the issue comes from the following line of the code on our webpage:


<script src="https://bibbase.org/show?bib=https://gitlab.com/hakasehayashida/jcope-stats/-/raw/main/jcope-stats.bib&jsonp=1"></script>

The vulnerability diagnostics indicated that the solution is to upgrade the HandlebarJS and Underscore.js on the remote server.

I have limited knowledge on IT and security so my request might be irrelevant, but I am wondering if the issue could be resolved by upgrading those two JS versions on your server?

Thanks in advance,

Hakase

W trakcie analizy

Hi Hakase,

Sorry for the delayed response. Can you share more about the severity of the found vulnerability? Since BibBase is not showing anything sensitive or confidential -- quite the opposite actually -- I don't quite understand the possible damage a malicious actor could do based on these vulnerabilities. Did your IT support share more details?

Thanks,

Christian

Thanks Christian for your reply.


I attach the screenshots of the vulnerability test report. I hope they are helpful in identify the issue.


Regards,

Hakase

Image 169

Image 170Image 171Image 172
Z odpowiedzią

Thanks for sharing! We've looked these over and found that they do not apply to us, because the conditions described in these vulnerabilities are not met in our case (we do not compile templates from untrusted sources). So there doesn't seem to exist any urgency fixing these. It certainly doesn't hurt to upgrade these libraries and we will do so eventually.

Thanks very much for investigating further, Christian.

I understand that it is not urgent to upgrade those libraries.

I hope they get upgraded in the near future, so we can use BibBase on our website.

Best regards,

Hakase