Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525

Issue to group security concerns

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • Trunk, Upcoming Branch
    • None
    • ALL COMPONENTS
    • None
    • Bug Crush Event - 21/2/2015

    Description

      The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

      This issue should never be closed

      Attachments

        Issue Links

          1.
          Passwords are not salted Sub-task Closed Unassigned
          2.
          special security should be required for setting passwords Sub-task Open Unassigned
          3.
          Remaining XSRF issues Sub-task Closed Jacques Le Roux
          4.
          Secure URLs exceptions Sub-task Closed Jacques Le Roux
          5.
          Secure targets in widget forms Sub-task Closed Jacques Le Roux
          6.
          entity encrypt columns not using encryption salt value? Sub-task Closed Adam Heath
          7.
          Additional Validation for Password : Make password pattern driven Sub-task Closed Jacques Le Roux
          8.
          Analysis of code vulnerabilities Sub-task Closed Unassigned
          9.
          Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170] Sub-task Closed Jacques Le Roux
          10.
          Update Groovy to 2.4.5 version [CVE-2016-2170] Sub-task Closed Jacopo Cappellato
          11.
          Add session tracking mode and make cookie secure Sub-task Closed Jacques Le Roux
          12.
          Set widget default url encode value to true Sub-task Closed Jacques Le Roux
          13.
          XSS vulnerability in OFBiz forms and screens especially in display-entity component Sub-task Closed Jacques Le Roux
          14.
          Security concern in the way to populate parameters map in the context Sub-task Closed David E. Jones
          15.
          Security : The remote web server is prone to cross-site scripting attacks. Sub-task Closed Scott Gray
          16.
          Secure URLs Sub-task Closed Jacques Le Roux
          17.
          Cross site scripting vulnerability in Forum Sub-task Closed David E. Jones
          18.
          html code is not sanitized in all the text input field Sub-task Closed David E. Jones
          19.
          Passwords in POS are shown in clear text Sub-task Closed Jacques Le Roux
          20.
          Cross Site Scripting Vulnerability (XSS) Sub-task Closed David E. Jones
          21.
          Poodle-disable sslv3 Sub-task Closed Jacques Le Roux
          22.
          Secure HTTP headers Sub-task Closed Jacques Le Roux
          23.
          Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Jacques Le Roux
          24.
          Update embedded Tomcat to 7.0.57 Sub-task Closed Jacques Le Roux
          25.
          Secure the login.secret_key_string Sub-task Closed Jacques Le Roux
          26.
          POI security fix Sub-task Closed Jacques Le Roux
          27.
          Upgrade Tomcat version to 6.0.24 Sub-task Closed Erwan de Ferrieres
          28.
          Updates Tomcat to 7.0.65 Sub-task Closed Jacques Le Roux
          29.
          Upgrade Axis2 to 1.6.3 Sub-task Closed Jacques Le Roux
          30.
          Update Spring Framework Sub-task Closed Jacques Le Roux
          31.
          Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1 Sub-task Closed Shi Jinghai
          32.
          Remove useless and vulnerable hadoop-hdfs-2.2.0.jar Sub-task Closed Jacques Le Roux
          33.
          The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties Sub-task Closed Jacques Le Roux
          34.
          Use only HTTPS in OFBiz Sub-task Closed Jacques Le Roux
          35.
          Remove forceManualJsessionid feature Sub-task Closed Jacques Le Roux
          36.
          Get rid of the session-cookie-accepted feature Sub-task Closed Jacques Le Roux
          37.
          Remove all sessionsIds put in URLs Sub-task Closed Jacques Le Roux
          38.
          Remove forceHttpSession feature Sub-task Closed Jacques Le Roux
          39.
          Hide sessionId in logs by default, show them using a properties Sub-task Closed Jacques Le Roux
          40.
          Update Xalan libs to version 2.7.2 because of CVE-2014-0107 Sub-task Closed Jacques Le Roux
          41.
          Update Tomcat to 7.0.68 Sub-task Closed Jacques Le Roux
          42.
          Upgrade Tomcat to 8.0.33 Sub-task Closed Jacques Le Roux
          43.
          Upgrade Axis2 to 1.7.1 Sub-task Closed Jacques Le Roux
          44.
          Replace the contrast Java agent by the notsoserial Java agent Sub-task Closed Jacques Le Roux
          45.
          Update XStream lib to prevent XML External Entity (XXE) Processing Sub-task Closed Jacques Le Roux
          46.
          Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] Sub-task Closed Jacques Le Roux
          47.
          Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey Sub-task Closed Jacques Le Roux
          48.
          Remove duplicated jars under solr component Sub-task Closed Shi Jinghai
          49.
          Pagination Problem in Find Invoices By Due Date Sub-task Closed Jacques Le Roux
          50.
          Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability Sub-task Closed Jacques Le Roux
          51.
          Update Shiro to 1.2.5 (CVE-2016-4437) Sub-task Closed Jacques Le Roux
          52.
          Upgrade Tomcat to 8.5.3 (or 8.0.36) Sub-task Closed Jacques Le Roux
          53.
          Upgrade Tomcat to 8.0.39 Sub-task Closed Jacques Le Roux
          54.
          Missing file results in error Sub-task Closed Jacques Le Roux
          55.
          Update Tomcat to 8.0.42 because of CVE-2017-5648 Sub-task Closed Jacques Le Roux
          56.
          On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs Sub-task Closed Jacques Le Roux
          57.
          Enhance cookies security Sub-task Closed Jacques Le Roux
          58.
          [FB] Find Security Bugs Sub-task Closed Jacques Le Roux
          59.
          Prevent the possible return of the Robot attack Sub-task Closed Jacques Le Roux
          60.
          JSESSIONID root cookie not protected (httponly) Sub-task Closed Jacques Le Roux
          61.
          Update Solr and Lucene from 7.2.1 to Solr 7.3.1 for security reason (CVE-2018-8010) Sub-task Closed Jacques Le Roux
          62.
          Session fixation issue Sub-task Closed Jacques Le Roux
          63.
          Add a mean to handle CSRF (CVE-2019-0235) Sub-task Closed Jacques Le Roux
          64.
          CLONE - Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Aditya Sharma
          65.
          Replace SHA-1 by SHA-512 Sub-task Open Unassigned
          66.
          Update Tomcat to 9.0.16 due to CVE-2019-0199 Sub-task Closed Jacques Le Roux
          67.
          Update Tomcat to 9.0.18 due to CVE-2019-0232 Sub-task Closed Jacques Le Roux
          68.
          Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" Sub-task Closed Jacques Le Roux
          69.
          Update Apache commons-fileupload to last version (CVE-2019-0189) Sub-task Closed Jacques Le Roux
          70.
          improve XML parsing with more restrictive settings Sub-task Closed Taher Alkhateeb
          71.
          Html escaping missing for portalPageId parameter of Help button Sub-task Closed Deepak Dixit
          72.
          Create customer request screen breaks when entering special characters (CVE-2019-10074) Sub-task Closed Scott Gray
          73.
          Arbitrary Code Execution Sub-task Closed Jacques Le Roux
          74.
          Path Traversal in webtools/control/FetchLogs and ViewFile Sub-task Closed Jacques Le Roux
          75.
          XML Entity Injection in webtools/control/entityImport Sub-task Closed Jacques Le Roux
          76.
          Improve ObjectInputStream class (CVE-2019-0189) Sub-task Closed Jacques Le Roux
          77.
          Temporarily comment out the "stream" request-map in ecommerce controller for security reason Sub-task Closed Jacques Le Roux
          78.
          POC for CSRF Token (CVE-2019-0235) Sub-task Closed Jacques Le Roux
          79.
          The "stream" request-map in ecommerce and commonext controllers requires authentication Sub-task Closed Jacques Le Roux
          80.
          Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) Sub-task Closed Jacques Le Roux
          81.
          Ensure that the SameSite attribute is set to 'strict' for all cookies. (CVE-2019-0235) Sub-task Closed Jacques Le Roux
          82.
          Improve Web Content Caching Sub-task Closed Jacques Le Roux
          83.
          Prevent Host Header Injection (CVE-2019-12425) Sub-task Closed Jacques Le Roux
          84.
          CLONE - Use only HTTPS in OFBiz Sub-task Closed Jacques Le Roux
          85.
          Prevent FreeMarker Template Injection (SSTI) Sub-task Closed Jacques Le Roux
          86.
          Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496) Sub-task Closed Jacques Le Roux
          87.
          CLONE - Check embedded Javascript libs vulnerabilities using retire.js Sub-task Closed Aditya Sharma
          88.
          IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923) Sub-task Closed Jacques Le Roux
          89.
          Reflected XSS in content component Sub-task Closed Jacques Le Roux
          90.
          CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) Sub-task Closed Michael Brohl
          91.
          Server-Side Template Injection using Static Sub-task Closed Jacques Le Roux
          92.
          Check if <<request.getParameter(">> meme needs encoding in some place Sub-task Closed Jacques Le Roux
          93.
          Remote Code Execution (File Upload) Vulnerability Sub-task Closed Jacques Le Roux
          94.
          Local File Inclusion vulnerability Sub-task Closed Jacques Le Roux
          95.
          Prevent possible post-auth RCE from webtools/control/ProgramExport Sub-task Closed Jacques Le Roux
          96.
          Prevent Zip Slip vulnerability Sub-task Closed Jacques Le Roux
          97.
          Prevent arbitary file write using webtools/control/EntitySQLProcessor. Sub-task Closed Jacques Le Roux
          98.
          Secure the uploads Sub-task Closed Jacques Le Roux
          99.
          Post-auth XSS vulnerability at catalog/control/EditProductPromo Sub-task Closed Jacques Le Roux
          100.
          Make ruleName field in PriceForms.xml#AddPriceRules safe Sub-task Closed Jacques Le Roux
          101.
          Dependency verification Sub-task Closed Jacques Le Roux
          102.
          Upgrade Tomcat from 9.0.41 to 9.0.43 Sub-task Closed Michael Brohl
          103.
          Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) Sub-task Closed Michael Brohl
          104.
          webtools/control/threadList no longer works on trunk (only) Sub-task Closed Jacques Le Roux
          105.
          Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295) Sub-task Closed Jacques Le Roux
          106.
          Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 Sub-task Closed Jacques Le Roux
          107.
          Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128] Sub-task Closed Jacques Le Roux
          108.
          Fixed UtilObject class [CVE-2021-29200] Sub-task Closed Jacques Le Roux
          109.
          Fixed ObjectInputStream denyList [CVE-2021-30128] Sub-task Closed Jacques Le Roux
          110.
          Update PDFBox to 2.0.24 because of CVE-2021-31811 & CVE-2021-31812 Sub-task Closed Jacques Le Roux
          111.
          Wrong uploaded file checked in Image Management [CVE-2021-37608] Sub-task Closed Jacques Le Roux
          112.
          SecuredUpload::isValidTextFile wrong check with uppercase Sub-task Closed Jacques Le Roux
          113.
          CVE-2021-37608 vulnerability bypass Sub-task Closed Jacques Le Roux
          114.
          Found a new XXE (XML External Entity Injection) vulnerability in EntityImport Sub-task Closed Jacques Le Roux
          115.
          Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo Sub-task Closed Jacques Le Roux
          116.
          OFBiz Arbitrary file read vulnerability Sub-task Closed Jacques Le Roux
          117.
          The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) Sub-task Closed Jacques Le Roux
          118.
          post-auth Remote Code Execution Vulnerability Sub-task Closed Jacques Le Roux
          119.
          [SECURITY] CVE-2021-42340 Apache Tomcat DoS Sub-task Closed Jacques Le Roux
          120.
          Update jquery-validation to 1.19.3 for security reason Sub-task Closed Jacques Le Roux
          121.
          [SECURITY] CVE-2021-44228: Apache Log4j2 Sub-task Closed Jacques Le Roux
          122.
          Update Solr and Lucene to address several CVEs (including Log4j) Sub-task Closed Jacques Le Roux
          123.
          [SECURITY] CVE-2021-45105: Apache Log4j2 Sub-task Closed Jacques Le Roux
          124.
          [SECURITY] Update TIka because of Apache Log4j2 vulnerability Sub-task Closed Jacques Le Roux
          125.
          [SECURITY] CVE-2021-44832: Apache Log4j2 Sub-task Closed Jacques Le Roux
          126.
          Upgrade Tomcat from 9.0.54 to 9.0.58 Sub-task Closed Jacques Le Roux
          127.
          [SECURITY] CVE-2022-23437: Infinite loop within Apache XercesJ xml parser Sub-task Closed Jacques Le Roux
          128.
          Possible authenticated attack related to Tomcat CVE-2020-1938 Sub-task Closed Jacques Le Roux
          129.
          [SECURITY] Upgrade Tika to 2.3.0 or more Sub-task Closed Deepak Dixit
          130.
          CLONE - [SECURITY] Upgrade Tika to 1.28.1 Sub-task Closed Jacques Le Roux
          131.
          Prevent post-Auth vulnerability: FreeMarker Bypass Sub-task Closed Jacques Le Roux
          132.
          Stored XSS in webappPath parameter from content/control/EditWebSite Sub-task Closed Jacques Le Roux
          133.
          Prevent possible DOS attack done using Java deserialisation Sub-task Closed Jacques Le Roux
          134.
          Prevent Freemarker interpolation in fields Sub-task Closed Jacques Le Roux
          135.
          [SECURITY] Upgrade Tika to 1.28.3 Sub-task Closed Jacques Le Roux
          136.
          Regular expression denial of service in jquery-validation Sub-task Closed Jacques Le Roux
          137.
          Update Solr and Lucene from 8.11.1 to 8.11.2 for security reason Sub-task Closed Jacques Le Roux
          138.
          [SECURITY] Upgrade Tika to 1.28.4 Sub-task Closed Jacques Le Roux
          139.
          Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063) Sub-task Closed Jacques Le Roux
          140.
          In UtilHttp, for regex processing of urls, replace Java regexp with RE2J Sub-task Closed Jacques Le Roux
          141.
          Upgrade Tomcat from 9.0.60 to 9.0.65 Sub-task Closed Jacques Le Roux
          142.
          Update Tomcat to 9.0.68 due to a low security issue Sub-task Closed Jacques Le Roux
          143.
          Update Apache Shiro to 1.10.1 Sub-task Closed Jacques Le Roux
          144.
          CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection Sub-task Closed Jacques Le Roux
          145.
          CVE-2023-24998 Apache Commons FileUpload and Tomcat - DoS with excessive parts Sub-task Closed Jacques Le Roux
          146.
          [SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure Sub-task Closed Jacques Le Roux
          147.
          Disallow string concatenation in uploaded files Sub-task Closed Jacques Le Roux
          148.
          [CVE-2022-47501] Arbitrary file reading vulnerability in Solr Sub-task Closed Jacques Le Roux
          149.
          Disable the Birt component in all branches (including trunk) because of CVE-2022-25371 Sub-task Closed Jacques Le Roux
          150.
          [SECURITY] CVE-2023-34981 Apache Tomcat Sub-task Closed Jacques Le Roux
          151.
          [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack Sub-task Closed Jacques Le Roux
          152.
          Improve use of RandomStringUtils where it's potentially used in an insecure way Sub-task Closed Jacques Le Roux
          153.
          Execution of queries without authentication Sub-task Closed Jacques Le Roux
          154.
          [SECURITY] Several CVEs in Apache Tomcat Sub-task Closed Jacques Le Roux
          155.
          [SECURITY] Upgrade Apache Shiro to 1.13.0 to fix CVE-2023-46750 Sub-task Closed Jacques Le Roux
          156.
          [SECURITY] Remove deprecated Apache XML-RPC related code (CVE-2023-49070) Sub-task Closed Deepak Dixit
          157.
          [SECURITY: CVE-2023-50968] Use screen engine for the request getJSONuilabels Sub-task Closed Nicolas Malin
          158.
          [SECURITY: CVE-2023-51467] Replaced direct null checks on username, password, and token with UtilValidate.isEmpty() method calls for consistency. Sub-task Closed Deepak Dixit
          159.
          [SECURITY] (CVE-2024-23946) Don't need to show files names in UI messages Sub-task Closed Jacques Le Roux
          160.
          [SECURITY] (CVE-2024-25065) Normalize contextPath in hasBasePermission Sub-task Closed Jacques Le Roux
          161.
          [SECURITY] In Solr fixe NPE in FieldLengthFeature with non-stored/missing fields. Sub-task Closed Jacques Le Roux
          162.
          [SECURITY] Several CVEs in Apache Tomcat Sub-task Closed Jacques Le Roux
          163.
          [SECURITY] (CVE-2024-32113) Path traversal leading to RCE Sub-task Closed Jacques Le Roux
          164.
          [SECURITY] (CVE-2024-36104) Path traversal leading to RCE Sub-task Closed Jacques Le Roux
          165.
          CVE-2024-34750 Apache Tomcat - Denial of Service Sub-task Closed Jacques Le Roux
          166.
          [CVE-2024-38856] Add permission check for ProgramExport and EntitySQLProcessor Sub-task Closed Deepak Dixit
          167.
          [CVE-2024-45507] Add validation to screen/script URI to block URL patterns Sub-task Closed Deepak Dixit
          168.
          [CVE-2024-45195] Add permission check for view-maps and change defaults for request-maps Sub-task Closed Sebastian Tschikin
          169.
          [SECURITY] (CVE-2024-47208) Update method to check if the string starts with component:// instead of merely containing it Sub-task Closed Deepak Dixit
          170.
          [SECURITY] (CVE-2024-48962) Enhance Parameter Encoding in MacroMenuRenderer Sub-task Closed Deepak Dixit
          171.
          [SECURITY] Several CVEs in Apache Tomcat Sub-task Closed Jacques Le Roux
          172.
          Issues when uploading SVG files Sub-task Closed Jacques Le Roux
          173.
          Prevent URL parameters manipulation Sub-task Closed Jacques Le Roux

          Activity

            People

              Unassigned Unassigned
              jleroux Jacques Le Roux
              Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated: