admin-lte js package 2.4 is concerned by known critical vulnerabilities

[corselle]

Hi,
As the following link mentions, admin-lte js package 2.4 which sonata uses is concerned by known critical vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-29667/Adminlte.io.html

This known vulnerability may allows remote attackers to gain escalated privilege and view sensitive information via /admin/index2.html, /admin/index3.html URIs.

It is highly recommended to update this dependency at least to 3.10-rc or higher (3.20-rc) for a production grade framework or app.

Can you please update admin-lte dependency ?

[VincentLanglet]

Hi,

See #7156

Admin lte 3 use Bootstrap 4, Admin lte use Bootstrap 3.
The update for bootstrap 4 is huge like you can see a try #7740

Also, this is a hard BC break and will require to release SonataAdmin 5.x.

Can you please update admin-lte dependency ?

Feel free to try

What would be great for us is to fix the vulnerability on admin lte 2.
Maybe they can accept a PR on the 2.x branch and to release a patched version.

[eerison]

IMO it can be closed, and handled in the issue #7156

[VincentLanglet]

The #7156 is kinda an epic when this issue is about a specific problem.
And maybe some others fix exist for this issue (Like trying a PR on admin lte 2.x)

[sarim]

I fail to see how this would affect a symfony application. In symfony only "live" accessible file is index.php which is the front controller. No adminX.html are exposed or have any chance of being exposed from vendor directory. And symfony handles routing and security. So whatever bugs present in javascript, the php server won't give access or reply with resources that user don't have access.

[VincentLanglet]

I agree, Closing then