You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Maxim Solodovnik (Jira)" <ji...@apache.org> on 2020/10/24 06:26:00 UTC
[jira] [Resolved] (WICKET-6846) wicket-ajax-jquery.js ActiveX
control discovery - Unpatched Application
[ https://issues.apache.org/jira/browse/WICKET-6846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maxim Solodovnik resolved WICKET-6846.
--------------------------------------
Resolution: Fixed
> wicket-ajax-jquery.js ActiveX control discovery - Unpatched Application
> -------------------------------------------------------------------------
>
> Key: WICKET-6846
> URL: https://issues.apache.org/jira/browse/WICKET-6846
> Project: Wicket
> Issue Type: Task
> Components: wicket
> Affects Versions: 8.10.0
> Environment: Windows 2012
> Reporter: abbas ali
> Assignee: Maxim Solodovnik
> Priority: Minor
> Labels: security
> Fix For: 8.11.0
>
> Original Estimate: 12h
> Remaining Estimate: 12h
>
> In our environment, we use wicket-ajax-jquery.js library. Our WebInspect vulnerability scan reported the vulnerability "ActiveX control discovery - Unpatched Application". It says
> "Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities".
>
> Recommendations include applying any relevant service
> pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you
> have already applied the proper fix, then this vulnerability can safely be ignored.
> Ref:[https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035]
> [https://www.cvedetails.com/cve/CVE-2009-0901/]
>
> May i check that ActiveXObject used in the below code (wicket-ajax-jquery.js ) is created with patched version of Visual studio and is it free from this vulnerability ?
>
> ------
> (window.ActiveXObject){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.6.0")}
> catch(err6){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.5.0")}
> catch(err5){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.4.0")}
> catch(err4){try
> {xmlDocument=new ActiveXObject ("MSXML2.DOMDocument.3.0")}
> catch(err3){try
> {xmlDocument=new ActiveXObject ("Microsoft.XMLDOM")}
> catch(err2){Wicket.Log.error("Cannot create DOM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)