select2 XSS issue with current version

Any updates on this?

Thank you for reporting this @styledev and @chegor. Select2 has been updated to the latest version in Stream 4.0.1 released today.

Still appears to be an issue – plugin version 4.0.2

Info:?In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.

File:?/wp-content/plugins/stream/ui/lib/select2/js/select2.min.js

Hi @nazartikhonyuk

Thank you for your update. After evaluating, here are the findings:

• As of Stream 4.0.1, including the most recent 4.0.2, has Select2 updated to the latest 4.0.13;
• Select2 4.0.13 has no known direct vulnerabilities;

Can you please confirm these points on your end?

Thank you once again.

Hi @pereirinha

This is fixed.

Thank you!