Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-5893

JQuery Security bug CVE-2015-9251 in Web Console

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: webconsole-4.3.4
    • Fix Version/s: webconsole-4.3.8
    • Component/s: Console
    • Labels:
      None

      Description

      Hi Experts,

          In our product we are using Sling version 6 in one of our release.(Working on Migration to Sling 10 for next versions)

          Recently we came across a security bug CVE-2015-9251.
          (CVE-2015-9251 is a vulnerability to allow an attacker to execute arbitrary code when text/javascript responses are received from cross-origin ajax requests not containing the option `dataType`. Its CVSS score is 6.1 in NVD.).
          

         To fix this an up-gradation of jQuery to versions greater than 3.0.0 is required.
          
          In our product we are using felix web console dependency which contains jQuery of version 1.3.2.js.
       
          As part of the fix for the security bug we need to upgrade the jQuery in the jar that are mentioned above.
          For that we checked the latest versions for the above mentioned jars and identified that the jQuery versions are not above v3.0.0.
          So could you please help us in upgrading them as soon as possible.
          
      Thanks,
      Varun.

        Attachments

        1. FELIX-5893.diff
          187 kB
          Christanto

          Activity

            People

            • Assignee:
              cziegeler Carsten Ziegeler
              Reporter:
              Varun G Varun Ganesh
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: