Skip to Main Content
Customer Feedback

We love feedback from you on our products and the problems in your daily work that you would like us to solve. Please describe the challenge you're encountering and your desired outcome. Be as detailed as possible.

For technical issues or bugs please head to Support or our Developer Community. You can assign up to 20 votes in total. Thank you for your feedback.

Status explanation: 'Future Consideration' = Continuing to collect further feedback, not planned at this time. 'Investigating' = Prioritized for deeper customer and feasibility investigations ahead of planning development.

Categories Technical
Created by Guest
Created on Jan 30, 2023

EPiServer.Forms.Samples uses out of data JQuery.UI with known vulnerabilities

One of our customers is using the EPiServer.Forms.Samples library, mostly to facilitate content gating with the Forms Visitor Groups. During a recent penetration test the following was reported:

We also observed the use of a known vulnerable version of jquery-ui at /Util/EPiServer.Forms.Samples/jquery-ui/jquery-ui.js which is known to have the following vulnerabilities

CVE-2022-31160: XSS when refreshing a checkboxradio with an HTML-like initial text label

Recommendation
Use the latest versions of the dependencies where possible. If it is not possible to update these, ensure the vulnerable components are not used.

There does not appear to be an equivalent of the forms.config that would allow us to prevent the injection of jquery-ui.js for the EPiServer.Forms.Samples package.

Can we please get an update for this package so that the out of date library is not used, and if possible, the capability to disable this from needing to be injected.