qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Rudyy (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (QPID-8258) [Broker-J] Upgrade dojotoolkit to version 1.14
Date Mon, 12 Nov 2018 10:55:00 GMT

     [ https://issues.apache.org/jira/browse/QPID-8258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Alex Rudyy reassigned QPID-8258:

    Assignee: Alex Rudyy

> [Broker-J] Upgrade dojotoolkit to version 1.14
> ----------------------------------------------
>                 Key: QPID-8258
>                 URL: https://issues.apache.org/jira/browse/QPID-8258
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-7.1.0, qpid-java-broker-7.0.7
>            Reporter: Alex Rudyy
>            Assignee: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-7.1.0
> A number of security vulnerabilities have been fixed in dojotoolkit 1.14:
> * [CVE-2018-6561|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6561] 	dijit.Editor
in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.
> * [CVE-2018-15494|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15494] In Dojo
Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
> * [CVE-2018-1000665|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000665];
 Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting
(XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html
and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through
their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear
to be exploitable via Victims are typically lured to a web site under the attacker's control;
the XSS vulnerability on the target domain is silently exploited without the victim's knowledge.
This vulnerability appears to have been fixed in 1.14. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message