Messages

1

Bug Report / Re: PQGrid jszip 2.5.0 vulnerabilities

« on: March 09, 2023, 04:44:08 pm »

Thanks again Paramvir.

2

Bug Report / Re: PQGrid jszip 2.5.0 vulnerabilities

« on: March 08, 2023, 11:27:10 pm »

Thanks Paramvir for the detailed answer. It helps us to know that the issue should not apply.

Also, I would like to mention that the 'npm audit' command shows vulnerabilities. The second finding in the npm output is the same as one of the first post, but I'm not sure about the "Prototype" issue. Please, I would appreciate your comments on this matter.

# npm audit report

jszip  <=3.7.1
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-jg8v-48h5-wgxg
JSZip contains Path Traversal via loadAsync - https://github.com/advisories/GHSA-36fh-84j7-cv5h
No fix available
node_modules/jszip
  pqgrid  *
  Depends on vulnerable versions of jszip
  node_modules/pqgrid

Thanks!.

3

Bug Report / PQGrid jszip 2.5.0 vulnerabilities

« on: March 08, 2023, 05:25:27 pm »

Hello Support!.

We are currently using PQGrid v8.6.0 and have been using Veracode to track vulnerabilities and improvements. Recently, Veracode detected a high severity vulnerability related to the jszip v2.5.0 dependency used in PQGrid. The vulnerability details have been provided below:

CVE-2022-48285| CWE-22
Directory Traversal: jszip is vulnerable to Directory Traversal. The vulnerability exists as untrusted user input is not properly validated and/or sanitized, allowing an attacker to exploit the vulnerability via a crafted ZIP archive.

Could it be possible to you to update PQGrid to use the latest version of jszip (or v3.8.0 or later) to address this issue?.
This vulnerability also applies to PQGrid v8.7.0.

Please refer to the following links for further details on this vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2022-48285
https://cwe.mitre.org/data/definitions/22.html


Hope you can help.
Thanks in advance.

Best regards,
Fernando.

4

Bug Report / Re: Tooltip show / hide error

« on: January 13, 2023, 11:40:54 pm »

Excellent 

Thanks.

5

Bug Report / Re: Tooltip show / hide error

« on: January 12, 2023, 08:41:16 am »

Hello!,

Thanks for your answer.

I'm unable to reproduce it on StackBlitz. It doesn't throw the exception and somehow it seems to have forced strict mode to be disabled.
https://stackblitz.com/edit/paramquery-ng-switch-data-7vvrr8?file=tsconfig.json

I have repo below containing a similar solution that can be used to reproduce the error in a local enviroment.
https://github.com/ferpagano/prueba_pqgrid

I also reached out to the jQuery UI team, here are their answers related:
https://github.com/jquery/jquery-ui/issues/2148
https://github.com/jquery/jquery-ui/pull/1931

Thanks in advance.
Fernando.

6

Bug Report / Tooltip show / hide error

« on: January 12, 2023, 12:04:25 am »

Hello,

I'm using pgGrid (v8.7,0) with column validation inside an Angular v13(13.3.12) App. When the validator fires It should show the tooltip but It's throwing a TypeError. The line that has the problem is (jquery-ui):
"options.complete = callback;"
The variable "options" is a boolean, and I think problem is related to strict mode because when I tried a similar line without strict mode, it ran fine.

jquery -> v3.4.0
jquery-ui-pack -> v1.12.3

Thanks in advance.
Fernando.

TypeError: Cannot create property 'complete' on boolean 'true'
Error:
core.mjs:7739
ERROR TypeError: Cannot create property 'complete' on boolean 'true'
at $.Widget. [as _show] (jquery-ui.js:716:3)
at $..._open (jquery-ui.js:15926:
at $..._open (jquery-ui.js:139:25)
at $..._updateContent (jquery-ui.js:15855:9)
at $..._updateContent (jquery-ui.js:139:25)
at Object. (jquery-ui.js:15732:10)
at Function.each (jquery.js:391:19)
at $..._setOption (jquery-ui.js:15731:6)
at $..._setOption (jquery-ui.js:139:25)
at $..._setOptions (jquery-ui.js:429:9)