(Locked) Security Vulnerability Affecting prettyPhoto jQuery Script


#1

There is an XSS security vulnerability in the prettyPhoto jQuery script (versions before 3.1.6). This script is sometimes included in themes, templates and scripts available from a variety of sources, including ThemeForest and CodeCanyon.

This was first reported in July 2014 (in Spanish), but has received wider exposure in the last few days.

ThemeForest and CodeCanyon Authors:

If you use the prettyPhoto script in your items, please check your items and make sure you are using version 3.1.6. If you are using an older version, you should update your item as soon as possible. We’ll be working towards identifying any affected items and disabling those that are not fixed within a certain timeframe (to be announced).

When submitting an update that addresses these issues, please include the phrase “prettyPhoto XSS fix” in the notes. Please be careful to use this exact phrase, as it makes it easier for us to identify these updates. This will allow us to prioritise the review of updates relating to this issue.

Buyers:

As far as we are aware, this vulnerability is not being exploited in a widespread manner, despite being nearly a year old. We believe this affects a relatively small amount of items on ThemeForest and CodeCanyon, but we will be working with authors and asking them to check that their items are secure and to update them if necessary.

If you wish to check whether your items include an affected version of prettyPhoto, we suggest first checking each item’s documentation to see whether it mentions prettyPhoto and the version number. If it does not, you will need to search the item’s file structure for the jquery.prettyphoto.js file. In most cases, authors will place all included javascript files in a common folder named something similar to “includes”, “js”, “scripts”, “assets”, etc. If you find the jquery.prettyphoto.js file, open it with a text editor and check the version number.

  • If you have version 3.1.6, then you have a secure version of the file and no further action is necessary.
  • If you have an older version, please update your item as soon as the author has provided updated files.
  • If you can’t find the file and there is no mention of it in the item’s documentation, then you are unlikely to be using prettyPhoto. We would still advise you to watch for any updates for your items and apply any that become available, as this is general best practice.

You can check for updates on the Downloads page. If you would like to be automatically notified about new updates, please activate “Item update notifications” in your email settings.

Note: This is cross-posted from the ThemeForest forum. Please leave any replies on the original thread over there.


#2