[
https://issues.apache.org/jira/browse/OFBIZ-9269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-9269.
----------------------------------
Resolution: Fixed
Assignee: Jacques Le Roux
Fix Version/s: Upcoming Release
Closing here, after the work at OFBIZ-9978 remains only an issue with
jquery-mobile that we will handle in OFBIZ-9978.
Also Solr should be updated but that's for another Jira
here is the last check from today
{code}
C:\projectsASF\ofbiz>retire
Downloading
https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json
...
Downloading
https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json
...
C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
attribute usemap can be used as a security exploit;
https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via
add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severi
ty: medium; summary: DOS in $sanitize;
https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low;
summary: XSS in $sanitize in Safari/Firefox;
https://github.com/angular/angular.js/commit/8
f31f1ff43b673a24f84422d5c13d6312b2c4d94
C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
attribute usemap can be used as a security exploit;
https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via
add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severi
ty: medium; summary: DOS in $sanitize;
https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low;
summary: XSS in $sanitize in Safari/Firefox;
https://github.com/angular/angular.js/commit/8
f31f1ff43b673a24f84422d5c13d6312b2c4d94
C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
summary: 3rd party CORS request may execute;
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery
-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity:
medium; issue: 11974, summary: parseHTML() executes scripts in event handlers;
https://bugs.jquery.com/ticket/11974 http://resea
rch.insecurelabs.org/jquery/test/
C:\projectsASF\ofbiz\themes\common\webapp\common\js\jquery\jquery.mobile\jquery.mobile-1.4.0.js
? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary:
open redirect leads to cross site scripting;
http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
C:\projectsASF\ofbiz\themes\common\webapp\common\js\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium;
summary: open redirect leads to cross site scripting;
http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
{code}
> Check embedded Javascript libs vulnerabilities using retire.js
> --------------------------------------------------------------
>
> Key: OFBIZ-9269
> URL: https://issues.apache.org/jira/browse/OFBIZ-9269
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Labels: Javascript, retire.js, vulnerabilities
> Fix For: Upcoming Release
>
>
> 1+ years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> I just checked again and here are the results
> {code}
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-1.11.0.js
> ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js
> ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug:
> 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-1.11.0.min.js
> ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; bug: 11290,
> summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity:
> medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity:
> medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
> ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
> ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary:
> open redirect leads to cross site scripting;
> http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
>
> C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
> ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium;
> summary: open redirect leads to cross site scripting;
> http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
>
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
> ? jquery 1.7.2.min has known vulnerabilities: severity: medium; bug: 11290,
> summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/ severity:medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>
> C:\projectsASF\ofbiz-framework\plugins\birt\webapp\birt\webcontent\birt\ajax\lib\prototype.js
> ? prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
> {code}
> So it's time to update again the Javascript embedded libs
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
