You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2020/09/02 17:21:25 UTC

OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Hi,

I received an alert from GitHub Advisory <https://github.com/advisories> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"

Could someone test if updating to jQuery 1.9 would work?

I could then, or anyone ready for that, upgrade the OFBiz site to use jQuery 1.9

Thanks

Jacques

Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Posted by Jacques Le Roux <ja...@les7arts.com>.

Great!

Le 03/09/2020 à 11:37, Aditya Sharma a écrit :
> Indeed that makes sense Jacques. I checked we no longer use
> bootstrap-select plugin so removed it as an initial step.
>
> https://github.com/apache/ofbiz-site/commit/eec3090d837d6e931271596a48dca6e6c4a9aedb
>
> ofbiz-site passes the checks now
> https://github.com/apache/ofbiz-site/network/alerts
> https://github.com/apache/ofbiz-site
>
> I further plan to check and upgrade libraries to more recent versions
> further.
>
> Thanks and Regards,
> Aditya Sharma
>
> On Thu, Sep 3, 2020 at 2:34 PM Jacques Le Roux <ja...@les7arts.com>
> wrote:
>
>> Thanks Aditya,
>>
>> We could think that it's not a big deal since it's only a static site. But
>> if we were defaced that would not look great ;)
>>
>> Jacques
>>
>> Le 03/09/2020 à 08:24, Aditya Sharma a écrit :
>>> Hi Jacques,
>>>
>>> I think the dependency is related to bootstrap-select plugin.
>>>
>> https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open
>>> We might not be affected, though I will have a deeper look into it soon.
>>>
>>> Thanks and regards,
>>> Aditya Sharma
>>>
>>>
>>> On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux <
>>> jacques.le.roux@les7arts.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I received an alert from GitHub Advisory <https://github.com/advisories
>>>> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"
>>>>
>>>> Could someone test if updating to jQuery 1.9 would work?
>>>>
>>>> I could then, or anyone ready for that, upgrade the OFBiz site to use
>>>> jQuery 1.9
>>>>
>>>> Thanks
>>>>
>>>> Jacques
>>>>
>>>>

Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Posted by Aditya Sharma <ad...@apache.org>.

Indeed that makes sense Jacques. I checked we no longer use
bootstrap-select plugin so removed it as an initial step.

https://github.com/apache/ofbiz-site/commit/eec3090d837d6e931271596a48dca6e6c4a9aedb

ofbiz-site passes the checks now
https://github.com/apache/ofbiz-site/network/alerts
https://github.com/apache/ofbiz-site

I further plan to check and upgrade libraries to more recent versions
further.

Thanks and Regards,
Aditya Sharma

On Thu, Sep 3, 2020 at 2:34 PM Jacques Le Roux <ja...@les7arts.com>
wrote:

> Thanks Aditya,
>
> We could think that it's not a big deal since it's only a static site. But
> if we were defaced that would not look great ;)
>
> Jacques
>
> Le 03/09/2020 à 08:24, Aditya Sharma a écrit :
> > Hi Jacques,
> >
> > I think the dependency is related to bootstrap-select plugin.
> >
> https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open
> >
> > We might not be affected, though I will have a deeper look into it soon.
> >
> > Thanks and regards,
> > Aditya Sharma
> >
> >
> > On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux <
> > jacques.le.roux@les7arts.com> wrote:
> >
> >> Hi,
> >>
> >> I received an alert from GitHub Advisory <https://github.com/advisories
> >
> >> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"
> >>
> >> Could someone test if updating to jQuery 1.9 would work?
> >>
> >> I could then, or anyone ready for that, upgrade the OFBiz site to use
> >> jQuery 1.9
> >>
> >> Thanks
> >>
> >> Jacques
> >>
> >>
>

Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Posted by Jacques Le Roux <ja...@les7arts.com>.

Thanks Aditya,

We could think that it's not a big deal since it's only a static site. But if we were defaced that would not look great ;)

Jacques

Le 03/09/2020 à 08:24, Aditya Sharma a écrit :
> Hi Jacques,
>
> I think the dependency is related to bootstrap-select plugin.
> https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open
>
> We might not be affected, though I will have a deeper look into it soon.
>
> Thanks and regards,
> Aditya Sharma
>
>
> On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Hi,
>>
>> I received an alert from GitHub Advisory <https://github.com/advisories>
>> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"
>>
>> Could someone test if updating to jQuery 1.9 would work?
>>
>> I could then, or anyone ready for that, upgrade the OFBiz site to use
>> jQuery 1.9
>>
>> Thanks
>>
>> Jacques
>>
>>

Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Posted by Aditya Sharma <ad...@apache.org>.

Hi Jacques,

I think the dependency is related to bootstrap-select plugin.
https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open

We might not be affected, though I will have a deeper look into it soon.

Thanks and regards,
Aditya Sharma

On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:

> Hi,
>
> I received an alert from GitHub Advisory <https://github.com/advisories>
> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"
>
> Could someone test if updating to jQuery 1.9 would work?
>
> I could then, or anyone ready for that, upgrade the OFBiz site to use
> jQuery 1.9
>
> Thanks
>
> Jacques
>
>

Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Posted by Jacques Le Roux <ja...@les7arts.com>.

HI Pierre,

We have it already: https://github.com/apache/ofbiz-site

I subscribed to receive alerts by email

Jacques

Le 03/09/2020 à 08:03, Pierre Smits a écrit :
> Hi Jacques,
>
> Why don't we use CI and sonarcloud analysis to test these ante- and
> post-upgrade scenarios?
>
> Best regards
>
> Pierre
>
> Op wo 2 sep. 2020 19:23 schreef Jacques Le Roux <
> jacques.le.roux@les7arts.com>:
>
>> Hi,
>>
>> I received an alert from GitHub Advisory <https://github.com/advisories>
>> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"
>>
>> Could someone test if updating to jQuery 1.9 would work?
>>
>> I could then, or anyone ready for that, upgrade the OFBiz site to use
>> jQuery 1.9
>>
>> Thanks
>>
>> Jacques
>>
>>

Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery

Posted by Pierre Smits <pi...@gmail.com>.

Hi Jacques,

Why don't we use CI and sonarcloud analysis to test these ante- and
post-upgrade scenarios?

Best regards

Pierre

Op wo 2 sep. 2020 19:23 schreef Jacques Le Roux <
jacques.le.roux@les7arts.com>:

> Hi,
>
> I received an alert from GitHub Advisory <https://github.com/advisories>
> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery"
>
> Could someone test if updating to jQuery 1.9 would work?
>
> I could then, or anyone ready for that, upgrade the OFBiz site to use
> jQuery 1.9
>
> Thanks
>
> Jacques
>
>