ICEfaces
  1. ICEfaces
  2. ICE-11514

jQuery Security Issues analysis

    Details

      Description

      The jQuery library used by ICEfaces components has known security vulnerabilities.

      See https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html

      This JIRA is to analyze these to determine if there is an exposure vector outside of the ICEfaces component code (via the browser) for any of these.

        Activity

        Hide
        Arturo Zambrano added a comment -

        r53369: Fix for vulnerability CVE-2019-11358.

        r53370: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).

        r53371: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).

        r53372: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).

        Show
        Arturo Zambrano added a comment - r53369: Fix for vulnerability CVE-2019-11358. r53370: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023). r53371: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251). r53372: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).
        Hide
        Arturo Zambrano added a comment -

        Applied fixes to the EE 3.3 maintenance branch.

        r53374: Don't copy prototype properties in jQuery.extend() (Fix for vulnerability CVE-2019-11358).

        r53375: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).

        r53376: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).

        r53377: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).

        Show
        Arturo Zambrano added a comment - Applied fixes to the EE 3.3 maintenance branch. r53374: Don't copy prototype properties in jQuery.extend() (Fix for vulnerability CVE-2019-11358). r53375: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023). r53376: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251). r53377: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).
        Hide
        Arturo Zambrano added a comment -

        More detailed information can be found in this wiki article:

        http://www.icesoft.org/wiki/display/ICE/jQuery+Security+Vulnerability+Mitigation

        Show
        Arturo Zambrano added a comment - More detailed information can be found in this wiki article: http://www.icesoft.org/wiki/display/ICE/jQuery+Security+Vulnerability+Mitigation

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Ken Fyten
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: