qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Rudyy (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-8258) [Broker-J] Upgrade dojotoolkit to version 1.14
Date Mon, 05 Nov 2018 12:35:00 GMT
Alex Rudyy created QPID-8258:

             Summary: [Broker-J] Upgrade dojotoolkit to version 1.14
                 Key: QPID-8258
                 URL: https://issues.apache.org/jira/browse/QPID-8258
             Project: Qpid
          Issue Type: Improvement
          Components: Broker-J
    Affects Versions: qpid-java-broker-7.1.0, qpid-java-broker-7.0.7
            Reporter: Alex Rudyy

A number of security vulnerabilities have been fixed in dojotoolkit 1.14:

* [CVE-2018-6561|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6561] 	dijit.Editor
in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.
* [CVE-2018-15494|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15494] In Dojo Toolkit
before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
* [CVE-2018-1000665|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000665];  Dojo
Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting
(XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html
and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through
their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear
to be exploitable via Victims are typically lured to a web site under the attacker's control;
the XSS vulnerability on the target domain is silently exploited without the victim's knowledge.
This vulnerability appears to have been fixed in 1.14. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message