roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aditya Sharma (Jira)" <j...@apache.org>
Subject [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js
Date Tue, 20 Aug 2019 11:10:00 GMT
Aditya Sharma created ROL-2150:
----------------------------------

             Summary: Fix Js security vulnerabilities detected using retire js
                 Key: ROL-2150
                 URL: https://issues.apache.org/jira/browse/ROL-2150
             Project: Apache Roller
          Issue Type: Bug
          Components: User Interface - General
    Affects Versions: 5.2.4
            Reporter: Aditya Sharma
            Assignee: Aditya Sharma


{code:java}
/roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
 ↳ jquery-ui-dialog 1.11.0
jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug:
281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281
https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
/roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
 ↳ jquery-ui-autocomplete 1.11.0
/roller/app/target/roller/roller-ui/scripts/jquery-2.1.1.min.js
 ↳ jquery 2.1.1
jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
 ↳ jquery-ui-dialog 1.11.0
jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: CVE-2016-7103, bug:
281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281
https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
/roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
 ↳ jquery-ui-autocomplete 1.11.0
/roller/app/src/main/webapp/roller-ui/scripts/jquery-2.1.1.min.js
 ↳ jquery 2.1.1
jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/target/roller/themes/gaurav/js/jquery.js
 ↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/target/test-classes/themes/gaurav/js/jquery.js
 ↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/src/main/webapp/themes/gaurav/js/jquery.js
 ↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-1.12.4.js
 ↳ jquery 1.12.4
jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-2.2.4.js
 ↳ jquery 2.2.4
jquery 2.2.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-3.3.1.js
 ↳ jquery 3.3.1
jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery
before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,
{}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
/roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/unsupported_plugins/ImageManager/smart-image.js
 ↳ swfobject 2.0
swfobject 2.0 has known vulnerabilities: severity: medium; summary: DOM-based XSS; https://github.com/swfobject/swfobject/wiki/SWFObject-Release-Notes#swfobject-v21-beta7-june-6th-2008{code}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Mime
View raw message