Hello,
It is not clear from your documentation whether you are still relying on jszip.js for Excel exports. We have found that this library has critical security vulnerabilities that have not been addressed by the FOSS developer who created it.
Please advise as to what you recommend.
Thanks.
1 Answer, 1 is accepted
Hello Donald,
The JSZip library is required for the Excel exports, as stated in the Export Support section in the documentation.
Would you please let us know if the security vulnerabilities you mentioned are found in the latest version? Generally, the Kendo UI for jQuery/MVC/Core(Exporting) is compatible with JSZip 3.x starting v2023.3.1114 (R3 2023 SP1). You can upgrade to the latest JSZip version (3.10.1).
Regards,
Mihaela
Progress Telerik
Rank 1
Hello Donald,
I have found the following two issues in the JSZip repo:
According to the source code, Math.random() is used to create a prefix for a variable name rather than for data encryption:
https://github.com/Stuk/jszip/blob/main/dist/jszip.js#L11491-L11509
Also, it does not exists as a CVE report. We can state that the report is false positive since Math.random() does not cause real threats in the code.
If any additional questions arise, please let us know.
Best,
Mihaela
Rank 1
Hello Mihaela,
Is there a way I can contact you offline about our findings? My email address is [REDACTED EMAIL ADDRESS]. Thanks.
Hello Donald.
I noticed that there is no active license associated with your account, which limits our support service overall. In this regard, I would highly recommend considering the option of acquiring a license. You can review the available license plans in the following resource:
Regardless, I want to help you out, however, could you please let me know if you discovered a new vulnerability in the JSZip library that has not been previously reported or part of a tooling scan? Tools like snyk and others show that the latest version does not have any CVEs). If you rely on an automated tools, I would recommend contacting the JSZip developers for verification of those scan results.
Currently, there are no confirmed vulnerabilities for JSZip v3.10.1. However, if you have any concerns, you can switch to server-side export with the Telerik Document Processing Library's SpreadStreamProcessing, which does not require the JSZip library:
Best,
Mihaela
Rank 1
Hello Mihaela,
It isn't just JSzip that shows up with vulnerabilities in our scans. Everywhere location.href or window.location.href is being used potentially opens the software to redirection attacks. In addition, there are places where Math.random() is being used. This function is known to be insufficiently secure. As well, any place where input is not being validated exposes the software to CSRF attacks.
Our scans have identified these vulnerabilities in console.js, kendo.all.js, and kendo.aspnetmvc.js.
Hi Donald,
To discuss the results of your scans related to the Kendo UI scripts and any concerns you have, I would recommend creating a trial license for the desired Kendo UI product and submitting a support ticket.
Best,
Mihaela