Details
-
Type: Improvement
-
Status: Closed
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: EE-4.3.0.GA_P02, EE-3.3.0.GA_P08
-
Fix Version/s: EE-4.3.0.GA_P03, EE-3.3.0.GA_P09
-
Component/s: ACE-Components, ICE-Components
-
Labels:None
-
Environment:ICEfaces components.
Description
The jQuery library used by ICEfaces components has known security vulnerabilities.
See https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
This JIRA is to analyze these to determine if there is an exposure vector outside of the ICEfaces component code (via the browser) for any of these.
See https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
This JIRA is to analyze these to determine if there is an exposure vector outside of the ICEfaces component code (via the browser) for any of these.
r53369: Fix for vulnerability CVE-2019-11358.
r53370: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).
r53371: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).
r53372: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).