Security for Excel Exports

1 Answer 11 Views

Spreadsheet

1 Answer, 1 is accepted

answered on 29 Apr 2024, 03:57 PM

Hello Donald,

The JSZip library is required for the Excel exports, as stated in the Export Support section in the documentation.

Would you please let us know if the security vulnerabilities you mentioned are found in the latest version? Generally, the Kendo UI for jQuery/MVC/Core(Exporting) is compatible with JSZip 3.x starting v2023.3.1114 (R3 2023 SP1). You can upgrade to the latest JSZip version (3.10.1).

Regards,
Mihaela
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages. If you're new to the Telerik family, be sure to check out our getting started resources, as well as the only REPL playground for creating, saving, running, and sharing server-side code.

Donald

commented on 29 Apr 2024, 04:03 PM

This is the version of Jszip that is insecure. The random-number generator used by Jszip is vulnerable to cyberattacks and the creator of the library has not maintained it.

Mihaela

commented on 02 May 2024, 01:40 PM

Hello Donald,

I have found the following two issues in the JSZip repo:

According to the source code, Math.random() is used to create a prefix for a variable name rather than for data encryption:

https://github.com/Stuk/jszip/blob/main/dist/jszip.js#L11491-L11509

Also, it does not exists as a CVE report. We can state that the report is false positive since Math.random() does not cause real threats in the code.

If any additional questions arise, please let us know.

Best,

Mihaela

Product Bundles

DevCraft

Web

Mobile

Document Management

Desktop

Reporting & Mocking

Automated Testing

CMS

UI/UX Tools

Debugging

Free Tools

Support and Learning

Productivity and Design Tools

Security for Excel Exports

1 Answer, 1 is accepted