Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525

Issue to group security concerns

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: ALL COMPONENTS
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

      This issue should never be closed

        Attachments

        Issue Links

        1.
        Passwords are not salted Sub-task Open Adam Heath Actions
        2.
        special security should be required for setting passwords Sub-task Open Unassigned Actions
        3.
        Remaining XSRF issues Sub-task Closed Jacques Le Roux Actions
        4.
        Secure URLs exceptions Sub-task Closed Jacques Le Roux Actions
        5.
        Secure targets in widget forms Sub-task Closed Jacques Le Roux Actions
        6.
        entity encrypt columns not using encryption salt value? Sub-task Closed Adam Heath Actions
        7.
        Additional Validation for Password : Make password pattern driven Sub-task Closed Jacques Le Roux Actions
        8.
        Analysis of code vulnerabilities Sub-task Closed Unassigned Actions
        9.
        Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170] Sub-task Closed Jacques Le Roux Actions
        10.
        Update Groovy to 2.4.5 version [CVE-2016-2170] Sub-task Closed Jacopo Cappellato Actions
        11.
        Add session tracking mode and make cookie secure Sub-task Closed Jacques Le Roux Actions
        12.
        Set widget default url encode value to true Sub-task Closed Jacques Le Roux Actions
        13.
        XSS vulnerability in OFBiz forms and screens especially in display-entity component Sub-task Closed Jacques Le Roux Actions
        14.
        Security concern in the way to populate parameters map in the context Sub-task Closed David E. Jones Actions
        15.
        Security : The remote web server is prone to cross-site scripting attacks. Sub-task Closed Scott Gray Actions
        16.
        Secure URLs Sub-task Closed Jacques Le Roux Actions
        17.
        Cross site scripting vulnerability in Forum Sub-task Closed David E. Jones Actions
        18.
        html code is not sanitized in all the text input field Sub-task Closed David E. Jones Actions
        19.
        Passwords in POS are shown in clear text Sub-task Closed Jacques Le Roux Actions
        20.
        Cross Site Scripting Vulnerability (XSS) Sub-task Closed David E. Jones Actions
        21.
        Poodle-disable sslv3 Sub-task Closed Jacques Le Roux Actions
        22.
        Secure HTTP headers Sub-task Closed Jacques Le Roux Actions
        23.
        Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Jacques Le Roux Actions
        24.
        Update embedded Tomcat to 7.0.57 Sub-task Closed Jacques Le Roux Actions
        25.
        Secure the login.secret_key_string Sub-task Closed Jacques Le Roux Actions
        26.
        POI security fix Sub-task Closed Jacques Le Roux Actions
        27.
        Upgrade Tomcat version to 6.0.24 Sub-task Closed Erwan de Ferrieres Actions
        28.
        Updates Tomcat to 7.0.65 Sub-task Closed Jacques Le Roux Actions
        29.
        Upgrade Axis2 to 1.6.3 Sub-task Closed Jacques Le Roux Actions
        30.
        Update Spring Framework Sub-task Closed Jacques Le Roux Actions
        31.
        Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1 Sub-task Closed Shi Jinghai Actions
        32.
        Remove useless and vulnerable hadoop-hdfs-2.2.0.jar Sub-task Closed Jacques Le Roux Actions
        33.
        The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties Sub-task Closed Jacques Le Roux Actions
        34.
        Use only HTTPS in OFBiz Sub-task Closed Jacques Le Roux Actions
        35.
        Remove forceManualJsessionid feature Sub-task Closed Jacques Le Roux Actions
        36.
        Get rid of the session-cookie-accepted feature Sub-task Closed Jacques Le Roux Actions
        37.
        Remove all sessionsIds put in URLs Sub-task Closed Jacques Le Roux Actions
        38.
        Remove forceHttpSession feature Sub-task Closed Jacques Le Roux Actions
        39.
        Hide sessionId in logs by default, show them using a properties Sub-task Closed Jacques Le Roux Actions
        40.
        Update Xalan libs to version 2.7.2 because of CVE-2014-0107 Sub-task Closed Jacques Le Roux Actions
        41.
        Update Tomcat to 7.0.68 Sub-task Closed Jacques Le Roux Actions
        42.
        Upgrade Tomcat to 8.0.33 Sub-task Closed Jacques Le Roux Actions
        43.
        Upgrade Axis2 to 1.7.1 Sub-task Closed Jacques Le Roux Actions
        44.
        Replace the contrast Java agent by the notsoserial Java agent Sub-task Closed Jacques Le Roux Actions
        45.
        Update XStream lib to prevent XML External Entity (XXE) Processing Sub-task Closed Jacques Le Roux Actions
        46.
        Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] Sub-task Closed Jacques Le Roux Actions
        47.
        Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey Sub-task Closed Jacques Le Roux Actions
        48.
        Remove duplicated jars under solr component Sub-task Closed Shi Jinghai Actions
        49.
        Pagination Problem in Find Invoices By Due Date Sub-task Closed Jacques Le Roux Actions
        50.
        Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability Sub-task Closed Jacques Le Roux Actions
        51.
        Update Shiro to 1.2.5 (CVE-2016-4437) Sub-task Closed Jacques Le Roux Actions
        52.
        Upgrade Tomcat to 8.5.3 (or 8.0.36) Sub-task Closed Jacques Le Roux Actions
        53.
        Upgrade Tomcat to 8.0.39 Sub-task Closed Jacques Le Roux Actions
        54.
        Missing file results in error Sub-task Closed Jacques Le Roux Actions
        55.
        Update Tomcat to 8.0.42 because of CVE-2017-5648 Sub-task Closed Jacques Le Roux Actions
        56.
        On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs Sub-task Closed Jacques Le Roux Actions
        57.
        Enhance cookies security Sub-task Closed Jacques Le Roux Actions
        58.
        [FB] Find Security Bugs Sub-task Closed Jacques Le Roux Actions
        59.
        Prevent the possible return of the Robot attack Sub-task Closed Jacques Le Roux Actions
        60.
        JSESSIONID root cookie not protected (httponly) Sub-task Closed Jacques Le Roux Actions
        61.
        Update Solr and Lucene from 7.2.1 to Solr 7.3.1 for security reason (CVE-2018-8010) Sub-task Closed Jacques Le Roux Actions
        62.
        Session fixation issue Sub-task Closed Jacques Le Roux Actions
        63.
        Add a mean to handle CSRF (CVE-2019-0235) Sub-task Closed Jacques Le Roux Actions
        64.
        CLONE - Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Aditya Sharma Actions
        65.
        Replace SHA-1 by SHA-512 Sub-task Open Unassigned Actions
        66.
        Update Tomcat to 9.0.16 due to CVE-2019-0199 Sub-task Closed Jacques Le Roux Actions
        67.
        Update Tomcat to 9.0.18 due to CVE-2019-0232 Sub-task Closed Jacques Le Roux Actions
        68.
        Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" Sub-task Closed Jacques Le Roux Actions
        69.
        Update Apache commons-fileupload to last version (CVE-2019-0189) Sub-task Closed Jacques Le Roux Actions
        70.
        improve XML parsing with more restrictive settings Sub-task Closed Taher Alkhateeb Actions
        71.
        Html escaping missing for portalPageId parameter of Help button Sub-task Closed Deepak Dixit Actions
        72.
        Create customer request screen breaks when entering special characters (CVE-2019-10074) Sub-task Closed Scott Gray Actions
        73.
        Arbitrary Code Execution Sub-task Closed Jacques Le Roux Actions
        74.
        Path Traversal in webtools/control/FetchLogs and ViewFile Sub-task Closed Jacques Le Roux Actions
        75.
        XML Entity Injection in webtools/control/entityImport Sub-task Closed Jacques Le Roux Actions
        76.
        Improve ObjectInputStream class (CVE-2019-0189) Sub-task Closed Jacques Le Roux Actions
        77.
        Temporarily comment out the "stream" request-map in ecommerce controller for security reason Sub-task Closed Jacques Le Roux Actions
        78.
        POC for CSRF Token (CVE-2019-0235) Sub-task Closed Jacques Le Roux Actions
        79.
        The "stream" request-map in ecommerce and commonext controllers requires authentication Sub-task Closed Jacques Le Roux Actions
        80.
        Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) Sub-task Closed Michael Brohl Actions
        81.
        Ensure that the SameSite attribute is set to 'strict' for all cookies. (CVE-2019-0235) Sub-task Closed Jacques Le Roux Actions
        82.
        Improve Web Content Caching Sub-task Closed Jacques Le Roux Actions
        83.
        Prevent Host Header Injection (CVE-2019-12425) Sub-task Closed Jacques Le Roux Actions
        84.
        CLONE - Use only HTTPS in OFBiz Sub-task Closed Jacques Le Roux Actions
        85.
        Prevent FreeMarker Template Injection (SSTI) Sub-task Closed Jacques Le Roux Actions
        86.
        Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496) Sub-task Closed Jacques Le Roux Actions
        87.
        CLONE - Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Aditya Sharma Actions
        88.
        IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923) Sub-task Closed Jacques Le Roux Actions
        89.
        Reflected XSS in content component Sub-task Closed Jacques Le Roux Actions
        90.
        CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) Sub-task Closed Michael Brohl Actions
        91.
        Server-Side Template Injection using Static Sub-task Closed Jacques Le Roux Actions
        92.
        Check if <<request.getParameter(">> meme needs encoding in some place Sub-task Closed Jacques Le Roux Actions
        93.
        Remote Code Execution (File Upload) Vulnerability Sub-task Closed Jacques Le Roux Actions
        94.
        Local File Inclusion vulnerability Sub-task Closed Jacques Le Roux Actions
        95.
        Prevent possible post-auth RCE from webtools/control/ProgramExport Sub-task Closed Jacques Le Roux Actions
        96.
        Prevent Zip Slip vulnerability Sub-task Closed Jacques Le Roux Actions
        97.
        Prevent arbitary file write using webtools/control/EntitySQLProcessor. Sub-task Closed Jacques Le Roux Actions
        98.
        Secure the uploads Sub-task Closed Jacques Le Roux Actions
        99.
        Post-auth XSS vulnerability at catalog/control/EditProductPromo Sub-task Closed Jacques Le Roux Actions
        100.
        Make ruleName field in PriceForms.xml#AddPriceRules safe Sub-task Closed Jacques Le Roux Actions
        101.
        Dependency verification Sub-task Open Unassigned Actions
        102.
        Upgrade Tomcat from 9.0.41 to 9.0.43 Sub-task Closed Michael Brohl Actions
        103.
        Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) Sub-task Closed Michael Brohl Actions
        104.
        webtools/control/threadList no longer works on trunk (only) Sub-task Closed Jacques Le Roux Actions
        105.
        Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295) Sub-task Closed Jacques Le Roux Actions
        106.
        Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 Sub-task Closed Jacques Le Roux Actions
        107.
        Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128] Sub-task Closed Jacques Le Roux Actions
        108.
        Fixed UtilObject class [CVE-2021-29200] Sub-task Closed Jacques Le Roux Actions
        109.
        Fixed ObjectInputStream denyList [CVE-2021-30128] Sub-task Closed Jacques Le Roux Actions

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jleroux Jacques Le Roux

              Dates

              • Created:
                Updated:

                Agile

                  Issue deployment