Details
-
Type: Improvement
-
Status: Closed
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: EE-4.2.0.GA, EE-3.3.0.GA_P05
-
Fix Version/s: 4.3, EE-3.3.0.GA_P06
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
-
Affects:Documentation (User Guide, Ref. Guide, etc.)
Description
A customer has reported that a static security analysis has found a potential problem in our fileEntry.js file.
The report of the flaw is as follows:
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.
References: CWE (http://cwe.mitre.org/data/definitions/95.html)
The report of the flaw is as follows:
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.
References: CWE (http://cwe.mitre.org/data/definitions/95.html)
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Arturo Zambrano
created issue -
Arturo Zambrano
made changes -
Field | Original Value | New Value |
---|---|---|
Assignee | Arturo Zambrano [ artzambrano ] |
Arturo Zambrano
made changes -
Priority | Major [ 3 ] | Critical [ 2 ] |
Ken Fyten
made changes -
Description |
FISGlobal have run a static analysis and found a potential problem in our fileEntry.js file.
The report of the flaw is as follows: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed. Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input. References: CWE (http://cwe.mitre.org/data/definitions/95.html) |
A customer has reported that a static security analysis has found a potential problem in our fileEntry.js file.
The report of the flaw is as follows: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed. Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input. References: CWE (http://cwe.mitre.org/data/definitions/95.html) |
Ken Fyten
made changes -
Fix Version/s | 4.3 [ 13096 ] | |
Fix Version/s | EE-3.3.0.GA_P06 [ 13114 ] |
Arturo Zambrano
made changes -
Status | Open [ 1 ] | Resolved [ 5 ] |
Resolution | Fixed [ 1 ] |
Ken Fyten
made changes -
Issue Type | Bug [ 1 ] | Improvement [ 4 ] |
Ken Fyten
made changes -
Summary | Potential 'eval' injection risk in fileEntry.js | SECURITY: Potential 'eval' injection risk in fileEntry.js |
Ken Fyten
made changes -
Affects | Documentation (User Guide, Ref. Guide, etc.) [ 10003 ] |
Ken Fyten
made changes -
Status | Resolved [ 5 ] | Closed [ 6 ] |