0026358: Vulnerability from library Moment.js 2.15.2 - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0026358	mantisbt	security	public	2019-11-15 03:03	2022-04-13 08:30

Reporter	jcamara	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	N/A
Status	closed	Resolution	fixed
Product Version	2.22.0
Target Version	2.23.0	Fixed in Version	2.23.0

Summary	0026358: Vulnerability from library Moment.js 2.15.2
Description	Our security department reports a pair of known vulnerabilities related with Moment.js 2.15.2 https://www.cvedetails.com/vulnerability-list/vendor_id-16043/product_id-35644/Moment-Project-Moment.html The suggestion is promoting Moment.js version as far as possible.
Tags	No tags attached.

MantisBT: master 1bd17e65 2019-11-15 02:08 dregad Details Diff	Update moment.js library to 2.24.0 Version 2.15.2 we've been using since the introduction of Modern UI is exposed to 2 known vulnerabilities, CVE-2016-4055 and CVE-2017-18214. Fixes 0026358	Affected Issues 0026358
	mod - core/constant_inc.php	Diff File
	rm - js/moment-with-locales-2.15.2.min.js	Diff
	add - js/moment-with-locales-2.24.0.min.js	Diff File
	mod - library/README.md	Diff File

dregad 2019-11-15 04:06 developer ~0063098	Thanks for the heads up. Upgrading to the latest moment.js release (2.24.0 as of this writing) should not be a problem, but requires some testing.

dregad 2019-11-23 14:17 developer ~0063130	PR https://github.com/mantisbt/mantisbt/pull/1582