EPiServer.Forms.Samples uses out of data JQuery.UI with known vulnerabilities
One of our customers is using the EPiServer.Forms.Samples library, mostly to facilitate content gating with the Forms Visitor Groups. During a recent penetration test the following was reported:
We also observed the use of a known vulnerable version of jquery-ui at /Util/EPiServer.Forms.Samples/jquery-ui/jquery-ui.js which is known to have the following vulnerabilities
CVE-2022-31160 (https://nvd.nist.gov/vuln/detail/CVE-2022-31160 : XSS when refreshing a checkboxradio with an HTML-like initial text label
Recommendation
Use the latest versions of the dependencies where possible. If it is not possible to update these, ensure the vulnerable components are not used.
There does not appear to be an equivalent of the forms.config that would allow us to prevent the injection of jquery-ui.js for the EPiServer.Forms.Samples package.
Can we please get an update for this package so that the out of date library is not used, and if possible, the capability to disable this from needing to be injected.
mark.stott
shared this idea