[
https://issues.apache.org/jira/browse/OFBIZ-11752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17135661#comment-17135661
]
Aditya Sharma commented on OFBIZ-11752:
---------------------------------------
Hi Jacques,
Backporting to 17.12 was pending. Due to different file structure and I have to
manually apply the changes.
Also, I checked for the console error issue, it seems there was no such error
till 17.12, it was introduced with OFBIZ-11466 at
[b9c9a69a1432e63491bc40a6a4a78129c9923e74|https://github.com/apache/ofbiz-framework/pull/50/commits/b9c9a69a1432e63491bc40a6a4a78129c9923e74].
Looking at application.js it seems that we have code of JQuery columns and
jQuery Formalise in this file which should be in minified files instead. I will
explore more on this if this has any custom code and proceed accordingly.
This is done now. Hence closing.
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> ----------------------------------------------------------------------
>
> Key: OFBIZ-11752
> URL: https://issues.apache.org/jira/browse/OFBIZ-11752
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Aditya Sharma
> Assignee: Aditya Sharma
> Priority: Major
> Labels: Javascript, retire.js, vulnerabilities
>
> Trunk
> {code:java}
> /ofbiz-framework/plugins/solr/webapp/solr/js/require.js
> ↳ jquery 1.7.1
> jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
> bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-cookies.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-resource.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-route.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-sanitize.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/jquery-2.1.3.min.js
> ↳ jquery 2.1.3
> jquery 2.1.3 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/plugins/solr/webapp/solr/js/lib/jquery-1.7.2.min.js
> ↳ jquery 1.7.2
> jquery 1.7.2 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
> bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> {code}
> Release 18.12
> {code:java}
> /ofbiz-framework/plugins/solr/webapp/solr/js/require.js
> ↳ jquery 1.7.1
> jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
> bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-cookies.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-resource.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-route.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-sanitize.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/jquery-2.1.3.min.js
> ↳ jquery 2.1.3
> jquery 2.1.3 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/plugins/solr/webapp/solr/js/lib/jquery-1.7.2.min.js
> ↳ jquery 1.7.2
> jquery 1.7.2 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
> bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> {code}
> Release 17.12
> {code:java}
> /ofbiz-framework/plugins/solr/webapp/solr/js/require.js
> ↳ jquery 1.7.1
> jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
> bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-cookies.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-resource.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-route.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular-sanitize.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/angular.min.js
> ↳ angularjs 1.3.8
> angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> Prototype pollution;
> https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
>
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
> severity: medium; summary: The attribute usemap can be used as a security
> exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severity: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md
> https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS
> in $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> /ofbiz-framework/plugins/solr/webapp/solr/libs/jquery-2.1.3.min.js
> ↳ jquery 2.1.3
> jquery 2.1.3 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/themes/common/webapp/common/js/jquery/jquery-3.4.1.min.js
> ↳ jquery 3.4.1
> jquery 3.4.1 has known vulnerabilities: severity: medium; summary: Regex in
> its jQuery.htmlPrefilter sometimes may introduce XSS;
> https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/themes/common/webapp/common/js/jquery/jquery-3.4.1.js
> ↳ jquery 3.4.1
> jquery 3.4.1 has known vulnerabilities: severity: medium; summary: Regex in
> its jQuery.htmlPrefilter sometimes may introduce XSS;
> https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
> /ofbiz-framework/plugins/solr/webapp/solr/js/lib/jquery-1.7.2.min.js
> ↳ jquery 1.7.2
> jquery 1.7.2 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
> bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may
> introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/{code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
