[jira] [Resolved] (WICKET-6846) wicket-ajax-jquery.js ActiveX control discovery - Unpatched Application

Fri, 23 Oct 2020 23:26:28 -0700 


     [ 
https://issues.apache.org/jira/browse/WICKET-6846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Maxim Solodovnik resolved WICKET-6846.
--------------------------------------
    Resolution: Fixed

> wicket-ajax-jquery.js   ActiveX control discovery - Unpatched Application
> -------------------------------------------------------------------------
>
>                 Key: WICKET-6846
>                 URL: https://issues.apache.org/jira/browse/WICKET-6846
>             Project: Wicket
>          Issue Type: Task
>          Components: wicket
>    Affects Versions: 8.10.0
>         Environment: Windows 2012
>            Reporter: abbas ali
>            Assignee: Maxim Solodovnik
>            Priority: Minor
>              Labels: security
>             Fix For: 8.11.0
>
>   Original Estimate: 12h
>  Remaining Estimate: 12h
>
> In our environment, we use wicket-ajax-jquery.js library. Our WebInspect 
> vulnerability scan reported the vulnerability "ActiveX control discovery - 
> Unpatched Application". It says 
>  "Any application compiled using the vulnerable active template could be 
> subject to code execution and information disclosure vulnerabilities".
>  
> Recommendations include applying any relevant service
>  pack or patch as listed in the Fix section, then recompiling and 
> redistrubiting any software created prior to the update. If you
>  have already applied the proper fix, then this vulnerability can safely be 
> ignored.
>  
> Ref:[https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035]
> [https://www.cvedetails.com/cve/CVE-2009-0901/]
>  
> May i check that ActiveXObject used in the below code (wicket-ajax-jquery.js 
> ) is created with patched version of Visual studio and is it free from this 
> vulnerability ?
>  
> ------
> (window.ActiveXObject){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.6.0")}
> catch(err6){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.5.0")}
> catch(err5){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.4.0")}
> catch(err4){try
> {xmlDocument=new ActiveXObject ("MSXML2.DOMDocument.3.0")}
> catch(err3){try
> {xmlDocument=new ActiveXObject ("Microsoft.XMLDOM")}
> catch(err2){Wicket.Log.error("Cannot create DOM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to