[OFBIZ-1525] Issue to group security concerns - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: Trunk, Upcoming Branch
Fix Version/s: None
Component/s: ALL COMPONENTS
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

This issue should never be closed

Attachments

Issue Links

incorporates

OFBIZ-178 Cross site scripting vulnerability in Forum

Closed

OFBIZ-260 Cross Site Scripting Vulnerability (XSS)

Closed

OFBIZ-1193 html code is not sanitized in all the text input field

Closed

OFBIZ-1106 Passwords in POS are shown in clear text

Closed

OFBIZ-5254 Services allow arbitrary HTML for parameters with allow-html set to "safe"

Closed

OFBIZ-1476 XSS vulnerability in OFBiz Login Form

Closed

OFBIZ-1900 Fortify Open Source Security Report mentioned OFBiz

Closed

OFBIZ-2121 XSS vulnerability in eCommerce/ordermgr

Closed

OFBIZ-6669 Possible stored XSS issue with Content

Closed

OFBIZ-1970 unescaped html special characters create problems in pages

Closed

OFBIZ-4983 New feature to reclaim a user account - Using Security Questions

Closed

OFBIZ-5009 Enforce user to reset his password in a pre-defined regular interval of time.

Closed

OFBIZ-2243 In hyperlink and sub-hyperlink elements, replacement of target parameters by parameter sub-elements

Closed

OFBIZ-2260 Secure URLs in Freemarker templates files

Closed

OFBIZ-10484 Sanitize the output of XML-RPC replies of error data

Closed

OFBIZ-10509 Disable DTDs for XML-RPC requests

Closed

OFBIZ-2330 Main task for securing URLs in Freemarker templates files

Closed

OFBIZ-10517 Update Apache Tomcat to 9.0.10 because of CVE-2018-8037

Closed

OFBIZ-5343 Update owasp-esapi-java

Closed

is a parent of

OFBIZ-10054 Product content management screen doesn't validate trusted users' input

Closed

is related to

OFBIZ-7928 Use "Let's encrypt" for OFBiz demos SSL/TLS certificates

Closed

mentioned in: Page Loading...

(14 incorporates, 1 is a parent of, 1 is related to, 1 mentioned in)

Sub-Tasks

1.	Passwords are not salted	Closed	Unassigned
2.	special security should be required for setting passwords	Open	Unassigned
3.	Remaining XSRF issues	Closed	Jacques Le Roux
4.	Secure URLs exceptions	Closed	Jacques Le Roux
5.	Secure targets in widget forms	Closed	Jacques Le Roux
6.	entity encrypt columns not using encryption salt value?	Closed	Adam Heath
7.	Additional Validation for Password : Make password pattern driven	Closed	Jacques Le Roux
8.	Analysis of code vulnerabilities	Closed	Unassigned
9.	Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170]	Closed	Jacques Le Roux
10.	Update Groovy to 2.4.5 version [CVE-2016-2170]	Closed	Jacopo Cappellato
11.	Add session tracking mode and make cookie secure	Closed	Jacques Le Roux
12.	Set widget default url encode value to true	Closed	Jacques Le Roux
13.	XSS vulnerability in OFBiz forms and screens especially in display-entity component	Closed	Jacques Le Roux
14.	Security concern in the way to populate parameters map in the context	Closed	David E. Jones
15.	Security : The remote web server is prone to cross-site scripting attacks.	Closed	Scott Gray
16.	Secure URLs	Closed	Jacques Le Roux
17.	Cross site scripting vulnerability in Forum	Closed	David E. Jones
18.	html code is not sanitized in all the text input field	Closed	David E. Jones
19.	Passwords in POS are shown in clear text	Closed	Jacques Le Roux
20.	Cross Site Scripting Vulnerability (XSS)	Closed	David E. Jones
21.	Poodle-disable sslv3	Closed	Jacques Le Roux
22.	Secure HTTP headers	Closed	Jacques Le Roux
23.	Check embedded Javascript libs vulnerabilities using retire.js	Closed	Jacques Le Roux
24.	Update embedded Tomcat to 7.0.57	Closed	Jacques Le Roux
25.	Secure the login.secret_key_string	Closed	Jacques Le Roux
26.	POI security fix	Closed	Jacques Le Roux
27.	Upgrade Tomcat version to 6.0.24	Closed	Erwan de Ferrieres
28.	Updates Tomcat to 7.0.65	Closed	Jacques Le Roux
29.	Upgrade Axis2 to 1.6.3	Closed	Jacques Le Roux
30.	Update Spring Framework	Closed	Jacques Le Roux
31.	Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1	Closed	Shi Jinghai
32.	Remove useless and vulnerable hadoop-hdfs-2.2.0.jar	Closed	Jacques Le Roux
33.	The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties	Closed	Jacques Le Roux
34.	Use only HTTPS in OFBiz	Closed	Jacques Le Roux
35.	Remove forceManualJsessionid feature	Closed	Jacques Le Roux
36.	Get rid of the session-cookie-accepted feature	Closed	Jacques Le Roux
37.	Remove all sessionsIds put in URLs	Closed	Jacques Le Roux
38.	Remove forceHttpSession feature	Closed	Jacques Le Roux
39.	Hide sessionId in logs by default, show them using a properties	Closed	Jacques Le Roux
40.	Update Xalan libs to version 2.7.2 because of CVE-2014-0107	Closed	Jacques Le Roux
41.	Update Tomcat to 7.0.68	Closed	Jacques Le Roux
42.	Upgrade Tomcat to 8.0.33	Closed	Jacques Le Roux
43.	Upgrade Axis2 to 1.7.1	Closed	Jacques Le Roux
44.	Replace the contrast Java agent by the notsoserial Java agent	Closed	Jacques Le Roux
45.	Update XStream lib to prevent XML External Entity (XXE) Processing	Closed	Jacques Le Roux
46.	Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]	Closed	Jacques Le Roux
47.	Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey	Closed	Jacques Le Roux
48.	Remove duplicated jars under solr component	Closed	Shi Jinghai
49.	Pagination Problem in Find Invoices By Due Date	Closed	Jacques Le Roux
50.	Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability	Closed	Jacques Le Roux
51.	Update Shiro to 1.2.5 (CVE-2016-4437)	Closed	Jacques Le Roux
52.	Upgrade Tomcat to 8.5.3 (or 8.0.36)	Closed	Jacques Le Roux
53.	Upgrade Tomcat to 8.0.39	Closed	Jacques Le Roux
54.	Missing file results in error	Closed	Jacques Le Roux
55.	Update Tomcat to 8.0.42 because of CVE-2017-5648	Closed	Jacques Le Roux
56.	On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs	Closed	Jacques Le Roux
57.	Enhance cookies security	Closed	Jacques Le Roux
58.	[FB] Find Security Bugs	Closed	Jacques Le Roux
59.	Prevent the possible return of the Robot attack	Closed	Jacques Le Roux
60.	JSESSIONID root cookie not protected (httponly)	Closed	Jacques Le Roux
61.	Update Solr and Lucene from 7.2.1 to Solr 7.3.1 for security reason (CVE-2018-8010)	Closed	Jacques Le Roux
62.	Session fixation issue	Closed	Jacques Le Roux
63.	Add a mean to handle CSRF (CVE-2019-0235)	Closed	Jacques Le Roux
64.	CLONE - Check embedded Javascript libs vulnerabilities using retire.js	Closed	Aditya Sharma
65.	Replace SHA-1 by SHA-512	Open	Unassigned
66.	Update Tomcat to 9.0.16 due to CVE-2019-0199	Closed	Jacques Le Roux
67.	Update Tomcat to 9.0.18 due to CVE-2019-0232	Closed	Jacques Le Roux
68.	Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"	Closed	Jacques Le Roux
69.	Update Apache commons-fileupload to last version (CVE-2019-0189)	Closed	Jacques Le Roux
70.	improve XML parsing with more restrictive settings	Closed	Taher Alkhateeb
71.	Html escaping missing for portalPageId parameter of Help button	Closed	Deepak Dixit
72.	Create customer request screen breaks when entering special characters (CVE-2019-10074)	Closed	Scott Gray
73.	Arbitrary Code Execution	Closed	Jacques Le Roux
74.	Path Traversal in webtools/control/FetchLogs and ViewFile	Closed	Jacques Le Roux
75.	XML Entity Injection in webtools/control/entityImport	Closed	Jacques Le Roux
76.	Improve ObjectInputStream class (CVE-2019-0189)	Closed	Jacques Le Roux
77.	Temporarily comment out the "stream" request-map in ecommerce controller for security reason	Closed	Jacques Le Roux
78.	POC for CSRF Token (CVE-2019-0235)	Closed	Jacques Le Roux
79.	The "stream" request-map in ecommerce and commonext controllers requires authentication	Closed	Jacques Le Roux
80.	Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)	Closed	Jacques Le Roux
81.	Ensure that the SameSite attribute is set to 'strict' for all cookies. (CVE-2019-0235)	Closed	Jacques Le Roux
82.	Improve Web Content Caching	Closed	Jacques Le Roux
83.	Prevent Host Header Injection (CVE-2019-12425)	Closed	Jacques Le Roux
84.	CLONE - Use only HTTPS in OFBiz	Closed	Jacques Le Roux
85.	Prevent FreeMarker Template Injection (SSTI)	Closed	Jacques Le Roux
86.	Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)	Closed	Jacques Le Roux
87.	CLONE - Check embedded Javascript libs vulnerabilities using retire.js	Closed	Aditya Sharma
88.	IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923)	Closed	Jacques Le Roux
89.	Reflected XSS in content component	Closed	Jacques Le Roux
90.	CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)	Closed	Michael Brohl
91.	Server-Side Template Injection using Static	Closed	Jacques Le Roux
92.	Check if <<request.getParameter(">> meme needs encoding in some place	Closed	Jacques Le Roux
93.	Remote Code Execution (File Upload) Vulnerability	Closed	Jacques Le Roux
94.	Local File Inclusion vulnerability	Closed	Jacques Le Roux
95.	Prevent possible post-auth RCE from webtools/control/ProgramExport	Closed	Jacques Le Roux
96.	Prevent Zip Slip vulnerability	Closed	Jacques Le Roux
97.	Prevent arbitary file write using webtools/control/EntitySQLProcessor.	Closed	Jacques Le Roux
98.	Secure the uploads	Closed	Jacques Le Roux
99.	Post-auth XSS vulnerability at catalog/control/EditProductPromo	Closed	Jacques Le Roux
100.	Make ruleName field in PriceForms.xml#AddPriceRules safe	Closed	Jacques Le Roux
101.	Dependency verification	Closed	Jacques Le Roux
102.	Upgrade Tomcat from 9.0.41 to 9.0.43	Closed	Michael Brohl
103.	Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)	Closed	Michael Brohl
104.	webtools/control/threadList no longer works on trunk (only)	Closed	Jacques Le Roux
105.	Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)	Closed	Jacques Le Roux
106.	Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906	Closed	Jacques Le Roux
107.	Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]	Closed	Jacques Le Roux
108.	Fixed UtilObject class [CVE-2021-29200]	Closed	Jacques Le Roux
109.	Fixed ObjectInputStream denyList [CVE-2021-30128]	Closed	Jacques Le Roux
110.	Update PDFBox to 2.0.24 because of CVE-2021-31811 & CVE-2021-31812	Closed	Jacques Le Roux
111.	Wrong uploaded file checked in Image Management [CVE-2021-37608]	Closed	Jacques Le Roux
112.	SecuredUpload::isValidTextFile wrong check with uppercase	Closed	Jacques Le Roux
113.	CVE-2021-37608 vulnerability bypass	Closed	Jacques Le Roux
114.	Found a new XXE (XML External Entity Injection) vulnerability in EntityImport	Closed	Jacques Le Roux
115.	Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo	Closed	Jacques Le Roux
116.	OFBiz Arbitrary file read vulnerability	Closed	Jacques Le Roux
117.	The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905)	Closed	Jacques Le Roux
118.	post-auth Remote Code Execution Vulnerability	Closed	Jacques Le Roux
119.	[SECURITY] CVE-2021-42340 Apache Tomcat DoS	Closed	Jacques Le Roux
120.	Update jquery-validation to 1.19.3 for security reason	Closed	Jacques Le Roux
121.	[SECURITY] CVE-2021-44228: Apache Log4j2	Closed	Jacques Le Roux
122.	Update Solr and Lucene to address several CVEs (including Log4j)	Closed	Jacques Le Roux
123.	[SECURITY] CVE-2021-45105: Apache Log4j2	Closed	Jacques Le Roux
124.	[SECURITY] Update TIka because of Apache Log4j2 vulnerability	Closed	Jacques Le Roux
125.	[SECURITY] CVE-2021-44832: Apache Log4j2	Closed	Jacques Le Roux
126.	Upgrade Tomcat from 9.0.54 to 9.0.58	Closed	Jacques Le Roux
127.	[SECURITY] CVE-2022-23437: Infinite loop within Apache XercesJ xml parser	Closed	Jacques Le Roux
128.	Possible authenticated attack related to Tomcat CVE-2020-1938	Closed	Jacques Le Roux
129.	[SECURITY] Upgrade Tika to 2.3.0 or more	Closed	Deepak Dixit
130.	CLONE - [SECURITY] Upgrade Tika to 1.28.1	Closed	Jacques Le Roux
131.	Prevent post-Auth vulnerability: FreeMarker Bypass	Closed	Jacques Le Roux
132.	Stored XSS in webappPath parameter from content/control/EditWebSite	Closed	Jacques Le Roux
133.	Prevent possible DOS attack done using Java deserialisation	Closed	Jacques Le Roux
134.	Prevent Freemarker interpolation in fields	Closed	Jacques Le Roux
135.	[SECURITY] Upgrade Tika to 1.28.3	Closed	Jacques Le Roux
136.	Regular expression denial of service in jquery-validation	Closed	Jacques Le Roux
137.	Update Solr and Lucene from 8.11.1 to 8.11.2 for security reason	Closed	Jacques Le Roux
138.	[SECURITY] Upgrade Tika to 1.28.4	Closed	Jacques Le Roux
139.	Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063)	Closed	Jacques Le Roux
140.	In UtilHttp, for regex processing of urls, replace Java regexp with RE2J	Closed	Jacques Le Roux
141.	Upgrade Tomcat from 9.0.60 to 9.0.65	Closed	Jacques Le Roux
142.	Update Tomcat to 9.0.68 due to a low security issue	Closed	Jacques Le Roux
143.	Update Apache Shiro to 1.10.1	Closed	Jacques Le Roux
144.	CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection	Closed	Jacques Le Roux
145.	CVE-2023-24998 Apache Commons FileUpload and Tomcat - DoS with excessive parts	Closed	Jacques Le Roux
146.	[SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure	Closed	Jacques Le Roux
147.	Disallow string concatenation in uploaded files	Closed	Jacques Le Roux
148.	[CVE-2022-47501] Arbitrary file reading vulnerability in Solr	Closed	Jacques Le Roux
149.	Disable the Birt component in all branches (including trunk) because of CVE-2022-25371	Closed	Jacques Le Roux
150.	[SECURITY] CVE-2023-34981 Apache Tomcat	Closed	Jacques Le Roux
151.	[CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack	Closed	Jacques Le Roux
152.	Improve use of RandomStringUtils where it's potentially used in an insecure way	Closed	Jacques Le Roux
153.	Execution of queries without authentication	Closed	Jacques Le Roux
154.	[SECURITY] Several CVEs in Apache Tomcat	Closed	Jacques Le Roux
155.	[SECURITY] Upgrade Apache Shiro to 1.13.0 to fix CVE-2023-46750	Closed	Jacques Le Roux
156.	[SECURITY] Remove deprecated Apache XML-RPC related code (CVE-2023-49070)	Closed	Deepak Dixit
157.	[SECURITY: CVE-2023-50968] Use screen engine for the request getJSONuilabels	Closed	Nicolas Malin
158.	[SECURITY: CVE-2023-51467] Replaced direct null checks on username, password, and token with UtilValidate.isEmpty() method calls for consistency.	Closed	Deepak Dixit
159.	[SECURITY] (CVE-2024-23946) Don't need to show files names in UI messages	Closed	Jacques Le Roux
160.	[SECURITY] (CVE-2024-25065) Normalize contextPath in hasBasePermission	Closed	Jacques Le Roux
161.	[SECURITY] In Solr fixe NPE in FieldLengthFeature with non-stored/missing fields.	Closed	Jacques Le Roux
162.	[SECURITY] Several CVEs in Apache Tomcat	Closed	Jacques Le Roux
163.	[SECURITY] (CVE-2024-32113) Path traversal leading to RCE	Closed	Jacques Le Roux
164.	[SECURITY] (CVE-2024-36104) Path traversal leading to RCE	Closed	Jacques Le Roux
165.	CVE-2024-34750 Apache Tomcat - Denial of Service	Closed	Jacques Le Roux
166.	[CVE-2024-38856] Add permission check for ProgramExport and EntitySQLProcessor	Closed	Deepak Dixit
167.	[CVE-2024-45507] Add validation to screen/script URI to block URL patterns	Closed	Deepak Dixit
168.	[CVE-2024-45195] Add permission check for view-maps and change defaults for request-maps	Closed	Sebastian Tschikin
169.	[SECURITY] (CVE-2024-47208) Update method to check if the string starts with component:// instead of merely containing it	Closed	Deepak Dixit
170.	[SECURITY] (CVE-2024-48962) Enhance Parameter Encoding in MacroMenuRenderer	Closed	Deepak Dixit

Activity

People

Assignee:: Unassigned

Reporter:: Jacques Le Roux

Votes:: 3 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 16/Dec/07 09:23

Updated:: 04/Feb/22 17:07