FKITDEV-8817 — esign_css jQuery Vulnerability Remediation
Summary
A vulnerability scanner flagged a stale jQuery 2.2.4 file in esign_css (CVE-2020-11023, CVE-2019-11358). The flagged file is reachable by URL via nginx static serving, but the only page that references it is dead code — its routes are commented out on every active branch. Fix is a one-line repoint plus deleting the stale file; no jQuery Migrate or plugin upgrades needed.
CVEs
| CVE | jQuery affected | Class |
|---|---|---|
| CVE-2020-11023 | < 3.5.0 | XSS via <option> elements / HTML containing untrusted markup |
| CVE-2019-11358 | < 3.4.0 | Prototype pollution via jQuery.extend(true, {}, ...) |
Root Cause
- The flagged file is
esign_css/web/libs/metronic/global/plugins/jquery.min.js— it is jQuery v2.2.4 (vulnerable). - Repo-wide, it is referenced in exactly one place:
client/ui/layouts/auth/auth.layout.twig:73.
Key Non-Obvious Fact —
auth.layout.twigis DEAD CODE
auth.layout.twigis extended only bylogin.template.twigandregister.template.twig. TheGET /loginandGET /registerroutes that would render those templates are commented out inserver/web/routes.js(lines 344 and 346) — on bothdevelandcustomization/instacash. The entire login/register page chain in esign_css is disabled. No live page renders the vulnerable jQuery.
Why the scanner still flags it
nginx serves the ^~ /libs/ location as static content by path, not by what any page references — see nginx_dev.conf / nginx_docker.conf line 27. So https://<host>/libs/metronic/global/plugins/jquery.min.js resolves and the scanner reaches it directly, even though no live page links to it.
esign_css layout topology
esign_css has exactly two Twig layouts:
| Layout | Status | Notes |
|---|---|---|
auth.layout.twig | Dead | Only extended by disabled login/register templates |
default.layout.twig | Live | Every real page extends it. Line 58 already loads the safe /libs/jquery/jquery-3.7.1.min.js |
So the live side of esign_css is already on jQuery 3.7.1 — the vulnerability only exists in the dead auth layout chain.
Fix (decided)
- Delete the stale file
esign_css/web/libs/metronic/global/plugins/jquery.min.js. - Repoint the dead Twig line
auth.layout.twig:73to/libs/jquery/jquery-3.7.1.min.js(the same filedefault.layout.twigalready uses).
No Migrate / plugin work needed
Because
auth.layout.twigis dead code, there is no need for jQuery Migrate or upgrading any Metronic plugins to be 3.x-compatible. The repoint just clears the scanner finding; nothing renders the page.
bizalmiszolgaltatas.facekom.net — Separate Property
Not esign_css — needs its own owner/ticket
FKITDEV-8817 also produced jQuery findings (items 1, 2, 7, 8) against
bizalmiszolgaltatas.facekom.net. This is a separate property and requires a separate owner and ticket.
bizalmiszolgaltatas.facekom.netis a TechTeamer-operated static document-hosting site, served via AWS CloudFront (302-redirects to thewwwsubdomain). It is not esign_css.- esign_css only references it:
portal.agreementUrlspoints at its legal PDFs:/dokumentumok/aktualis/altalanos_szerzodesi_feltetelek.pdf/dokumentumok/aktualis/adatkezelesi_tajekoztato.pdf/dokumentumok/aktualis/bizalmi_szolgaltatasi_rend.pdf
Related
- esign — Electronic Signature System overview (esign_css / esign_oss)
- esign-css-customization-branches — esign_css branch fleet and dev/test method
- security-audit — FaceKom security findings
- index — Investigation index