ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-9269) Check embedded Javascript libs vulnerabilities using retire.js
Date Fri, 10 Nov 2017 16:06:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-9269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247706#comment-16247706
] 

Jacques Le Roux commented on OFBIZ-9269:
----------------------------------------

Does someone really care about that but me?

> Check embedded Javascript libs vulnerabilities using retire.js
> --------------------------------------------------------------
>
>                 Key: OFBIZ-9269
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9269
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>              Labels: Javascript, retire.js, vulnerabilities
>
> 1+ years ago I created the page https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> I just checked again and here are the results
> {code}
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-1.11.0.js
>  ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd
party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>  
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js
>  ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug: 11290, summary:
Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-1.11.0.min.js
>  ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; bug: 11290, summary: Selector
interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.min.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
>  https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
>  https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
>  ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
>  ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary: open redirect
leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
>  
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
>  ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; summary: open
redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
>  
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
>  ? jquery 1.7.2.min has known vulnerabilities: severity: medium; bug: 11290, summary:
Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
severity:medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>  
> C:\projectsASF\ofbiz-framework\plugins\birt\webapp\birt\webcontent\birt\ajax\lib\prototype.js
>  ? prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
> {code}
> So it's time to update again the Javascript embedded libs



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message