[
https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16865033#comment-16865033
]
Aditya Sharma commented on OFBIZ-10678:
---------------------------------------
Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the
inferences based on following verifications:
Validations
Verify:
[https://localhost:8443/catalog/control/CreateProductFeature]
[https://localhost:8443/catalog/control/EditProduct]
Query Timepicker
[https://localhost:8443/ordermgr/control/ListQuoteRoles?quoteId=CQ0001]
jGrowl Success and Error Messages on all the pages
jsTree [https://localhost:8443/humanres/control/main]
Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=10007]
jQuery UI Used throughout OFBiz
Elrte
Steps:
1. Go to Content component ([https://localhost:8443/content/control/main] ).
2. Click on Forum from submenu
([https://localhost:8443/content/control/findForumGroups] ).
3. Click on forums link under Select column
([https://localhost:8443/content/control/findForums?forumGroupId=WebStoreFORUM]
)
4. Click on messages link under Select column
([https://localhost:8443/content/control/findForumMessages?forumGroupId=WebStoreFORUM&forumId=ASK]
)
Asm Select [https://localhost:8443/example/control/FormWidgetExamples]
(Multiple drop-downs)
Jquery hotkeys [https://localhost:8443/webpos/control/main]
Jeditable [https://localhost:8443/example/control/authview/findExampleAjax]
(Name field is click and edit)
Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples]
(Datetimepicker Field)
Jquery flot [https://localhost:8443/example/control/ExampleBarChart]
Fancybox
Verify:
[https://localhost:8443/example/control/ListVisualThemes] Click on image
Fancybox TypeError: j.get(...).style.removeAttribute is not a function
All the plugins are working fine except the Fancybox. We have to replace it
with some alternative. Fancybox is now available at Fancyapps under the GPLv3
license for all open source applications. A commercial license is required for
all commercial applications (including sites, themes and apps you plan to
sell). I have found a alternative Lightcase for it.
[http://fancybox.net/]
[http://fancyapps.com/fancybox/3/#license]
Alternative:
Lightbox under MIT license (Though I am still looking at some other
options)[http://ashleydw.github.io/lightbox/]
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> ----------------------------------------------------------------------
>
> Key: OFBIZ-10678
> URL: https://issues.apache.org/jira/browse/OFBIZ-10678
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Blocker
> Labels: Javascript, retire.js, vulnerabilities
>
> 3 years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and
> here are the results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary:
> XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
> ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-
> 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.
> com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
> ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.in
> securelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http
> s://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> {code}
> h3. R17
> {code}
> C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 seve
> rity: medium; issue: 20184, summary: XSS in collapse data-parent attribute,
> CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, summary: XSS in data-container p
> roperty of tooltip, CVE: CVE-2018-14042;
> https://github.com/twbs/bootstrap/issues/20184
> C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: m
> edium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE:
> CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, summary: XSS in data-container property
> of tooltip, CVE: CVE-2018-14042;
> https://github.com/twbs/bootstrap/issues/20184
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
> 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432 http://blog.jq
> uery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
> surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via
> add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severi
> ty: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low;
> summary: XSS in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8
> f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
> surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via
> add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severi
> ty: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low;
> summary: XSS in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8
> f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
> ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432 http://blog.jquery.c
> om/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML(
> ) executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
> ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE
> -2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium;
> issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432 http://blo
> g.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> {code}
> h3. R16
> {code}
> ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/
> 2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() e
> xecutes scripts in event handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-1.11.0.min.js
> ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432 http://blog.jquery.
> com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML
> () executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js
> ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug:
> 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\specialpurpose\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
> 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432 http://blog.jq
> uery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
> ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium;
> summary: open redirect leads to cross site scripting;
> http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
> ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary:
> open redirect leads to cross site scripting;
> http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
> {code}
> So it's time to update again the Javascript embedded libs. I'll check what I
> have been done with OFBIZ-9269 before...
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
