Vulnerable jquery library

[mansonli]

jquery-1.11.2.min.js is included when accessing nagios XI at https://<ip address>. How to change it to use jquery 3.x or prevent it to load in order to address jquery 1.x vulnerability? Nagios XI version is 5.7.3.

Pls also advise how to change ALL other web pages of XI web interface to use 3.x if any.

<head>
<title>Nagios XI</title>
<meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="shortcut icon" href="/nagiosxi/images/favicon.ico" type="image/ico">
<LINK REL='stylesheet' TYPE='text/css' HREF='/nagiosxi/includes/css/bootstrap.3.min.css'>
<LINK REL='stylesheet' TYPE='text/css' HREF='/nagiosxi/includes/css/base.css'>
<LINK REL='stylesheet' TYPE='text/css' HREF='/nagiosxi/includes/css/themes/modern.css'>
<script type='text/javascript' src='/nagiosxi/includes/js/jquery/jquery-1.11.2.min.js'></script>
<script type='text/javascript' src='/nagiosxi/includes/js/jquery/jquery-migrate-1.4.1.min.js'></script>
<script type='text/javascript' src='/nagiosxi/includes/js/core.js'></script>
</head>

[vtrac]

Hi mansonl,

Nagios XI came with both jquery 1.x and 3.x when installed. The web interface is using the latest version.

The jquery 1.x is being used "locally" (internally) just for generating PDF reports and should not cause any security concern.

If you were to replaced that with the 3.x, you might not be able to get PDF report when needed.

Best Regards,
Vinh

[mansonli]

But why jquery 1.x.x is included when visiting nagios XI frontend at https://<ip address>? Can it be replaced by 3.x.x?
A vulnerability scanner Qualys our company uses detected jquery 1.x.x has vulnerabilities as shown in screenshot attached. Thus our cybersecurity team requests us to get rid of it for XI and use 3.x.x.

[vtrac]

Hi mansonl,
Thank you for bringing this to our attention.
I have just talked to our development team and was told that there is a plan on removing it in the up coming 5.8 version.

Best Regards,
Vinh

[mansonli]

Any workaround or intermediate solution can be used to remove jquery 1.x.x before 5.8 is released? We target to fix it in this month.
What's ETA of 5.8?

[vtrac]

Hi mansonl,
I have contacted our development team and was told that the 5.8 will be released "soon" ... no official date yet ...
The fix is pretty complicated (requires more than one file change) so it's best to wait for 5.8.

Best Regards,
Vinh

[mansonli]

If 5.8 is not likely to release in this month, may you share steps of how to apply the fix? We may apply it before 5.8 after evaluation.

[vtrac]

Hi mansonl,
Hope you are doing great!!
I have checked with our development team again today (this morning).
Unfortunately, they are still not recommended any work around for this issue.
Their suggestion is to wait for the 5.8 release, which will be out very soon ... hopefully this month.

Regards,
Vinh