[ https://issues.apache.org/jira/browse/ROL-2150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16949603#comment-16949603 ]
Aditya Sharma commented on ROL-2150: ------------------------------------ Hi [~djohnson], We don't have 5.2.5 in fix version list. Could you please help me out with it? Thanks! > Fix Js security vulnerabilities detected using retire js > -------------------------------------------------------- > > Key: ROL-2150 > URL: https://issues.apache.org/jira/browse/ROL-2150 > Project: Apache Roller > Issue Type: Bug > Components: User Interface - General > Affects Versions: 5.2.4 > Reporter: Aditya Sharma > Assignee: Aditya Sharma > Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > {code:java} > /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js > ↳ jquery-ui-dialog 1.11.0 > jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: > CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; > https://github.com/jquery/api.jqueryui.com/issues/281 > https://nvd.nist.gov/vuln/detail/CVE-2016-7103 > https://snyk.io/vuln/npm:jquery-ui:20160721 > /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js > ↳ jquery-ui-autocomplete 1.11.0 > /roller/app/target/roller/roller-ui/scripts/jquery-2.1.1.min.js > ↳ jquery 2.1.1 > jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js > ↳ jquery-ui-dialog 1.11.0 > jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: > CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; > https://github.com/jquery/api.jqueryui.com/issues/281 > https://nvd.nist.gov/vuln/detail/CVE-2016-7103 > https://snyk.io/vuln/npm:jquery-ui:20160721 > /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js > ↳ jquery-ui-autocomplete 1.11.0 > /roller/app/src/main/webapp/roller-ui/scripts/jquery-2.1.1.min.js > ↳ jquery 2.1.1 > jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/target/roller/themes/gaurav/js/jquery.js > ↳ jquery 1.9.1 > jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/target/test-classes/themes/gaurav/js/jquery.js > ↳ jquery 1.9.1 > jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/src/main/webapp/themes/gaurav/js/jquery.js > ↳ jquery 1.9.1 > jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-1.12.4.js > ↳ jquery 1.12.4 > jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-2.2.4.js > ↳ jquery 2.2.4 > jquery 2.2.4 has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event > handlers; https://bugs.jquery.com/ticket/11974 > https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: low; CVE: > CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop > CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution; > https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-3.3.1.js > ↳ jquery 3.3.1 > jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, > summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other > products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype > pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ > https://nvd.nist.gov/vuln/detail/CVE-2019-11358 > https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b > /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/unsupported_plugins/ImageManager/smart-image.js > ↳ swfobject 2.0 > swfobject 2.0 has known vulnerabilities: severity: medium; summary: DOM-based > XSS; > https://github.com/swfobject/swfobject/wiki/SWFObject-Release-Notes#swfobject-v21-beta7-june-6th-2008{code} -- This message was sent by Atlassian Jira (v8.3.4#803005)