Hi, we are using the osTicket 1.10.4. We found that inside osTicket, there are jquery-ui-1.10.3.custom.min.js and jquery-1.11.2.min.js. These files may cause the vulnerability CVE-2016-7103 and CVE-2015-9251.
May I know whether osTicket would update the jquery version or how can I replace the jquery-ui-1.10.3.custom.min.js to the latest version?
Thanks for your precious time
Thank you for bringing these vulnerabilities to our attention. We are working to update jQuery and all related files for osTicket v1.11 stable. This version will be released very soon so be on the lookout.
Cheers.
I have made a pull request and it has been merged into the develop and develop-next branches. This means that the jQuery updates will be included in the 1.10.5 security release and 1.11 stable release. Both of these releases are happening soon so please stay tuned.
Cheers.
