[
https://issues.apache.org/jira/browse/QPID-8258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy resolved QPID-8258.
------------------------------
Resolution: Fixed
> [Broker-J] Upgrade dojotoolkit to version 1.14
> ----------------------------------------------
>
> Key: QPID-8258
> URL: https://issues.apache.org/jira/browse/QPID-8258
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-7.1.0, qpid-java-broker-7.0.7
> Reporter: Alex Rudyy
> Assignee: Alex Rudyy
> Priority: Major
> Fix For: qpid-java-broker-7.1.0
>
>
> A number of security vulnerabilities have been fixed in dojotoolkit 1.14/1.13:
> *
> [CVE-2018-6561|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6561]
> dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute
> of an SVG element.
> *
> [CVE-2018-15494|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15494]
> In Dojo Toolkit before 1.14, there is unescaped string injection in
> dojox/Grid/DataGrid.
> *
> [CVE-2018-1000665|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000665];
> Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a
> Cross Site Scripting (XSS) vulnerability in unit.html and
> testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and
> testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim
> attacked through their browser - deliver malware, steal HTTP cookies, bypass
> CORS trust. This attack appear to be exploitable via Victims are typically
> lured to a web site under the attacker's control; the XSS vulnerability on
> the target domain is silently exploited without the victim's knowledge. This
> vulnerability appears to have been fixed in 1.14.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
