Jquery 2.2.4 vulnerability
Feature Requests
We’re conducting a security audit of our site and found that Expression Engine is running jQuery 2.2.4 (expression engine 4) this version of jQuery has known security issues and the recommendation is to move to the latest version of jQuery 3.3.1
Is it possible to simply update to 3.3.1 safely or is there an upcoming release of EE4 which will include the latest version of jQuery?
jQuery is only used with ExpressionEngine in its own control panel, and its version is maintained by the app; you cannot update or replace those libraries. It may cause the control panel to not function properly and would be overwritten by the shipped assets when you performed a software update anyway.
Most jQuery vulnerabilities require some very specific context to exploit that typically isn’t applicable within how ExpressionEngine uses jQuery, or is irrelevant. If you are aware of a jQuery vulnerability that is exploitable within the ExpressionEngine control panel, please email the details to [email protected] and we will address it immediately. Thanks!