Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: EE-4.3.0.GA_P06, EE-3.3.0.GA_P12
-
Fix Version/s: EE-4.3.0.GA_P07, EE-3.3.0.GA_P13
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
Description
A customer brought to our attention that vulnerability CVE-2010-5312 may have not been addressed yet in ICEfaces. Indeed, it doesn't look like the fix for this vulnerability has been applied to our code.
The name of the vulnerability indicates that it is very old, but, according to the references, it wasn't named and documented until much later, probably around 2014. There was a fix for it in 2012, but it wasn't labelled with the name of this vulnerability.
These are some references about this vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
https://jqueryui.com/changelog/1.10.0/
https://bugs.jqueryui.com/ticket/6016/
https://github.com/advisories/GHSA-wcm2-9c89-wmfm
https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
In any case, this would only be a vulnerability in ICEfaces if the end user is allowed to input arbitrary content to be put inside a dialog's title (such as via the 'header' attribute) and if somehow this content is not escaped. By default, ICEfaces escapes all content submitted by the user when sending it to the server for processing.
The name of the vulnerability indicates that it is very old, but, according to the references, it wasn't named and documented until much later, probably around 2014. There was a fix for it in 2012, but it wasn't labelled with the name of this vulnerability.
These are some references about this vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
https://jqueryui.com/changelog/1.10.0/
https://bugs.jqueryui.com/ticket/6016/
https://github.com/advisories/GHSA-wcm2-9c89-wmfm
https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
In any case, this would only be a vulnerability in ICEfaces if the end user is allowed to input arbitrary content to be put inside a dialog's title (such as via the 'header' attribute) and if somehow this content is not escaped. By default, ICEfaces escapes all content submitted by the user when sending it to the server for processing.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion