Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525

Issue to group security concerns

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: ALL COMPONENTS
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

      This issue should never be closed

        Attachments

          Issue Links

          1.
          Passwords are not salted Sub-task Open Adam Heath
          2.
          special security should be required for setting passwords Sub-task Open Unassigned
          3.
          Remaining XSRF issues Sub-task Closed Jacques Le Roux
          4.
          Secure URLs exceptions Sub-task Closed Jacques Le Roux
          5.
          Secure targets in widget forms Sub-task Closed Jacques Le Roux
          6.
          entity encrypt columns not using encryption salt value? Sub-task Closed Adam Heath
          7.
          Additional Validation for Password : Make password pattern driven Sub-task Closed Jacques Le Roux
          8.
          Analysis of code vulnerabilities Sub-task Closed Unassigned
          9.
          Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170] Sub-task Closed Jacques Le Roux
          10.
          Update Groovy to 2.4.5 version [CVE-2016-2170] Sub-task Closed Jacopo Cappellato
          11.
          Add session tracking mode and make cookie secure Sub-task Closed Jacques Le Roux
          12.
          Set widget default url encode value to true Sub-task Closed Jacques Le Roux
          13.
          XSS vulnerability in OFBiz forms and screens especially in display-entity component Sub-task Closed Jacques Le Roux
          14.
          Security concern in the way to populate parameters map in the context Sub-task Closed David E. Jones
          15.
          Security : The remote web server is prone to cross-site scripting attacks. Sub-task Closed Scott Gray
          16.
          Secure URLs Sub-task Closed Jacques Le Roux
          17.
          Cross site scripting vulnerability in Forum Sub-task Closed David E. Jones
          18.
          html code is not sanitized in all the text input field Sub-task Closed David E. Jones
          19.
          Passwords in POS are shown in clear text Sub-task Closed Jacques Le Roux
          20.
          Cross Site Scripting Vulnerability (XSS) Sub-task Closed David E. Jones
          21.
          Poodle-disable sslv3 Sub-task Closed Jacques Le Roux
          22.
          Secure HTTP headers Sub-task Closed Jacques Le Roux
          23.
          Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Jacques Le Roux
          24.
          Update embedded Tomcat to 7.0.57 Sub-task Closed Jacques Le Roux
          25.
          Secure the login.secret_key_string Sub-task Closed Jacques Le Roux
          26.
          POI security fix Sub-task Closed Jacques Le Roux
          27.
          Upgrade Tomcat version to 6.0.24 Sub-task Closed Erwan de FERRIERES
          28.
          Updates Tomcat to 7.0.65 Sub-task Closed Jacques Le Roux
          29.
          Upgrade Axis2 to 1.6.3 Sub-task Closed Jacques Le Roux
          30.
          Update Spring Framework Sub-task Closed Jacques Le Roux
          31.
          Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1 Sub-task Closed Shi Jinghai
          32.
          Remove useless and vulnerable hadoop-hdfs-2.2.0.jar Sub-task Closed Jacques Le Roux
          33.
          The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties Sub-task Closed Jacques Le Roux
          34.
          Use only HTTPS in OFBiz Sub-task Closed Jacques Le Roux
          35.
          Remove forceManualJsessionid feature Sub-task Closed Jacques Le Roux
          36.
          Get rid of the session-cookie-accepted feature Sub-task Closed Jacques Le Roux
          37.
          Remove all sessionsIds put in URLs Sub-task Closed Jacques Le Roux
          38.
          Remove forceHttpSession feature Sub-task Closed Jacques Le Roux
          39.
          Hide sessionId in logs by default, show them using a properties Sub-task Closed Jacques Le Roux
          40.
          Update Xalan libs to version 2.7.2 because of CVE-2014-0107 Sub-task Closed Jacques Le Roux
          41.
          Update Tomcat to 7.0.68 Sub-task Closed Jacques Le Roux
          42.
          Upgrade Tomcat to 8.0.33 Sub-task Closed Jacques Le Roux
          43.
          Upgrade Axis2 to 1.7.1 Sub-task Closed Jacques Le Roux
          44.
          Replace the contrast Java agent by the notsoserial Java agent Sub-task Closed Jacques Le Roux
          45.
          Update XStream lib to prevent XML External Entity (XXE) Processing Sub-task Closed Jacques Le Roux
          46.
          Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] Sub-task Closed Jacques Le Roux
          47.
          Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey Sub-task Closed Jacques Le Roux
          48.
          Remove duplicated jars under solr component Sub-task Closed Shi Jinghai
          49.
          Pagination Problem in Find Invoices By Due Date Sub-task Closed Jacques Le Roux
          50.
          Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability Sub-task Closed Jacques Le Roux
          51.
          Update Shiro to 1.2.5 (CVE-2016-4437) Sub-task Closed Jacques Le Roux
          52.
          Upgrade Tomcat to 8.5.3 (or 8.0.36) Sub-task Closed Jacques Le Roux
          53.
          Upgrade Tomcat to 8.0.39 Sub-task Closed Jacques Le Roux
          54.
          Missing file results in error Sub-task Closed Jacques Le Roux
          55.
          Update Tomcat to 8.0.42 because of CVE-2017-5648 Sub-task Closed Jacques Le Roux
          56.
          On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs Sub-task Closed Jacques Le Roux
          57.
          Enhance cookies security Sub-task Closed Jacques Le Roux
          58.
          [FB] Find Security Bugs Sub-task In Progress Jacques Le Roux
          59.
          Prevent the possible return of the Robot attack Sub-task Closed Jacques Le Roux
          60.
          JSESSIONID root cookie not protected (httponly) Sub-task Open Unassigned
          61.
          Update Solr and Lucene from 7.2.1 to Solr 7.3.1 for security reason (CVE-2018-8010) Sub-task Closed Jacques Le Roux
          62.
          Session fixation issue Sub-task Closed Jacques Le Roux
          63.
          Add a mean to handle CSRF Sub-task Patch Available Jacques Le Roux

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jacques.le.roux Jacques Le Roux
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: