[jira] [Commented] (QPID-8258) [Broker-J] Upgrade dojotoolkit to version 1.14

Fri, 30 Nov 2018 05:19:35 -0800 


    [ 
https://issues.apache.org/jira/browse/QPID-8258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16704707#comment-16704707
 ] 

ASF subversion and git services commented on QPID-8258:
-------------------------------------------------------

Commit f57ac20df82b159beef4dd5b6ed649bb9a25149a in qpid-broker-j's branch 
refs/heads/7.0.x from [~alex.rufous]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=f57ac20 ]

QPID-8258: [Broker-J] Upgrade dojotoolkit to version 1.14

(cherry picked from commit 606303b4d2aca0d7037cd9314a2eb93a59c5fbc4)


> [Broker-J] Upgrade dojotoolkit to version 1.14
> ----------------------------------------------
>
>                 Key: QPID-8258
>                 URL: https://issues.apache.org/jira/browse/QPID-8258
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-7.1.0, qpid-java-broker-7.0.7
>            Reporter: Alex Rudyy
>            Assignee: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-7.1.0
>
>
> A number of security vulnerabilities have been fixed in dojotoolkit 1.14/1.13:
> * 
> [CVE-2018-6561|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6561]  
>       dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute 
> of an SVG element.
> * 
> [CVE-2018-15494|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15494]
>  In Dojo Toolkit before 1.14, there is unescaped string injection in 
> dojox/Grid/DataGrid.
> * 
> [CVE-2018-1000665|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000665];
>   Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a 
> Cross Site Scripting (XSS) vulnerability in unit.html and 
> testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and 
> testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim 
> attacked through their browser - deliver malware, steal HTTP cookies, bypass 
> CORS trust. This attack appear to be exploitable via Victims are typically 
> lured to a web site under the attacker's control; the XSS vulnerability on 
> the target domain is silently exploited without the victim's knowledge. This 
> vulnerability appears to have been fixed in 1.14. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to