|
|
|
OFBIZ-12942
|
OFBIZ-1525
[SECURITY] Several CVEs in Apache Tomcat
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12898
|
OFBIZ-1525
[SECURITY] In Solr fixe NPE in FieldLengthFeature with non-stored/missing fields.
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12887
|
OFBIZ-1525
[SECURITY] (CVE-2024-25065) Normalize contextPath in hasBasePermission
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-12884
|
OFBIZ-1525
[SECURITY] (CVE-2024-23946) Don't need to show files names in UI messages
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-12875
|
OFBIZ-1525
[SECURITY: CVE-2023-50968] Use screen engine for the request getJSONuilabels
|
Nicolas Malin
|
Nicolas Malin
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-12873
|
OFBIZ-1525
[SECURITY: CVE-2023-51467] Replaced direct null checks on username, password, and token with UtilValidate.isEmpty() method calls for consistency.
|
Deepak Dixit
|
Deepak Dixit
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-12866
|
OFBIZ-1525
[SECURITY] Upgrade Apache Shiro to 1.13.0 to fix CVE-2023-46750
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12860
|
OFBIZ-1525
[SECURITY] Several CVEs in Apache Tomcat
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12857
|
OFBIZ-1525
Execution of queries without authentication
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12854
|
OFBIZ-1525
Improve use of RandomStringUtils where it's potentially used in an insecure way
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-12839
|
OFBIZ-1525
[CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12831
|
OFBIZ-1525
[SECURITY] CVE-2023-34981 Apache Tomcat
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12824
|
OFBIZ-1525
Disable the Birt component in all branches (including trunk) because of CVE-2022-25371
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12812
|
OFBIZ-1525
[SECURITY] Remove deprecated Apache XML-RPC related code (CVE-2023-49070)
|
Deepak Dixit
|
Deepak Dixit
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12794
|
OFBIZ-1525
Disallow string concatenation in uploaded files
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12792
|
OFBIZ-1525
[CVE-2022-47501] Arbitrary file reading vulnerability in Solr
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12782
|
OFBIZ-1525
[SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12766
|
OFBIZ-1525
CVE-2023-24998 Apache Commons FileUpload and Tomcat - DoS with excessive parts
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12737
|
OFBIZ-1525
CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12713
|
OFBIZ-1525
Update Apache Shiro to 1.10.1
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12708
|
OFBIZ-1525
Update Tomcat to 9.0.68 due to a low security issue
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12696
|
OFBIZ-1525
Upgrade Tomcat from 9.0.60 to 9.0.65
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12657
|
OFBIZ-1525
[SECURITY] Upgrade Tika to 1.28.4
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12656
|
OFBIZ-1525
Update Solr and Lucene from 8.11.1 to 8.11.2 for security reason
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12646
|
OFBIZ-1525
Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12634
|
OFBIZ-1525
Regular expression denial of service in jquery-validation
|
Jacques Le Roux
|
Michael Brohl
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12626
|
OFBIZ-1525
[SECURITY] Upgrade Tika to 1.28.3
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12599
|
OFBIZ-1525
In UtilHttp, for regex processing of urls, replace Java regexp with RE2J
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-12594
|
OFBIZ-1525
Prevent Freemarker interpolation in fields
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-12592
|
OFBIZ-1525
Prevent possible DOS attack done using Java deserialisation
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12584
|
OFBIZ-1525
Stored XSS in webappPath parameter from content/control/EditWebSite
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12582
|
OFBIZ-1525
Prevent post-Auth vulnerability: FreeMarker Bypass
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12573
|
OFBIZ-1525
CLONE - [SECURITY] Upgrade Tika to 1.28.1
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12572
|
OFBIZ-1525
[SECURITY] Upgrade Tika to 2.3.0 or more
|
Deepak Dixit
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12558
|
OFBIZ-1525
Possible authenticated attack related to Tomcat CVE-2020-1938
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12549
|
OFBIZ-1525
[SECURITY] CVE-2022-23437: Infinite loop within Apache XercesJ xml parser
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12539
|
OFBIZ-1525
Upgrade Tomcat from 9.0.54 to 9.0.58
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12475
|
OFBIZ-1525
[SECURITY] CVE-2021-44832: Apache Log4j2
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12474
|
OFBIZ-1525
[SECURITY] Update TIka because of Apache Log4j2 vulnerability
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12470
|
OFBIZ-1525
[SECURITY] CVE-2021-45105: Apache Log4j2
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12464
|
OFBIZ-1525
Update Solr and Lucene to address several CVEs (including Log4j)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12449
|
OFBIZ-1525
[SECURITY] CVE-2021-44228: Apache Log4j2
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12339
|
OFBIZ-1525
Update jquery-validation to 1.19.3 for security reason
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-12337
|
OFBIZ-1525
[SECURITY] CVE-2021-42340 Apache Tomcat DoS
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12332
|
OFBIZ-1525
post-auth Remote Code Execution Vulnerability
|
Jacques Le Roux
|
Jie Zhu
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12316
|
OFBIZ-1525
The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12315
|
OFBIZ-1525
OFBiz Arbitrary file read vulnerability
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Not A Problem
|
|
|
|
|
|
|
|
OFBIZ-12307
|
OFBIZ-1525
CVE-2021-37608 vulnerability bypass
|
Jacques Le Roux
|
thiscodecc
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12306
|
OFBIZ-1525
Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo
|
Jacques Le Roux
|
thiscodecc
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12304
|
OFBIZ-1525
Found a new XXE (XML External Entity Injection) vulnerability in EntityImport
|
Jacques Le Roux
|
thiscodecc
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12301
|
OFBIZ-1525
SecuredUpload::isValidTextFile wrong check with uppercase
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12297
|
OFBIZ-1525
Wrong uploaded file checked in Image Management [CVE-2021-37608]
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12256
|
OFBIZ-1525
Update PDFBox to 2.0.24 because of CVE-2021-31811 & CVE-2021-31812
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12221
|
OFBIZ-1525
Fixed ObjectInputStream denyList [CVE-2021-30128]
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-12216
|
OFBIZ-1525
Fixed UtilObject class [CVE-2021-29200]
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-12212
|
OFBIZ-1525
Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-12205
|
OFBIZ-1525
Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12195
|
OFBIZ-1525
webtools/control/threadList no longer works on trunk (only)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12186
|
OFBIZ-1525
Dependency verification
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Abandoned
|
|
|
|
|
|
|
|
OFBIZ-12167
|
OFBIZ-1525
Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12165
|
OFBIZ-1525
Upgrade Tomcat from 9.0.41 to 9.0.43
|
Michael Brohl
|
Michael Brohl
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12098
|
OFBIZ-1525
Make ruleName field in PriceForms.xml#AddPriceRules safe
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12096
|
OFBIZ-1525
Post-auth XSS vulnerability at catalog/control/EditProductPromo
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12080
|
OFBIZ-1525
Secure the uploads
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12057
|
OFBIZ-1525
Prevent arbitary file write using webtools/control/EntitySQLProcessor.
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12056
|
OFBIZ-1525
Prevent Zip Slip vulnerability
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-12055
|
OFBIZ-1525
Prevent possible post-auth RCE from webtools/control/ProgramExport
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11949
|
OFBIZ-1525
Local File Inclusion vulnerability
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Duplicate
|
|
|
|
|
|
|
|
OFBIZ-11948
|
OFBIZ-1525
Remote Code Execution (File Upload) Vulnerability
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Duplicate
|
|
|
|
|
|
|
|
OFBIZ-11942
|
OFBIZ-1525
Check if <<request.getParameter(">> meme needs encoding in some place
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Not A Problem
|
|
|
|
|
|
|
|
OFBIZ-11871
|
OFBIZ-1525
Server-Side Template Injection using Static
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11848
|
OFBIZ-1525
Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
|
Michael Brohl
|
Michael Brohl
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11847
|
OFBIZ-1525
CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
|
Michael Brohl
|
Michael Brohl
|
|
Closed |
Incomplete
|
|
|
|
|
|
|
|
OFBIZ-11840
|
OFBIZ-1525
Reflected XSS in content component
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11836
|
OFBIZ-1525
IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11752
|
OFBIZ-1525
CLONE - Check embedded Javascript libs vulnerabilities using retire.js
|
Aditya Sharma
|
Aditya Sharma
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11716
|
OFBIZ-1525
Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11709
|
OFBIZ-1525
Prevent FreeMarker Template Injection (SSTI)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11643
|
OFBIZ-1525
CLONE - Use only HTTPS in OFBiz
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Won't Do
|
|
|
|
|
|
|
|
OFBIZ-11583
|
OFBIZ-1525
Prevent Host Header Injection (CVE-2019-12425)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11477
|
OFBIZ-1525
Improve Web Content Caching
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-11470
|
OFBIZ-1525
Ensure that the SameSite attribute is set to 'strict' for all cookies. (CVE-2019-0235)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11407
|
OFBIZ-1525
Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)
|
Jacques Le Roux
|
Michael Brohl
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-11349
|
OFBIZ-1525
The "stream" request-map in ecommerce and commonext controllers requires authentication
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11348
|
OFBIZ-1525
Temporarily comment out the "stream" request-map in ecommerce controller for security reason
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11306
|
OFBIZ-1525
POC for CSRF Token (CVE-2019-0235)
|
Jacques Le Roux
|
James Yong
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-11197
|
OFBIZ-1525
Arbitrary Code Execution
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11196
|
OFBIZ-1525
Path Traversal in webtools/control/FetchLogs and ViewFile
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11195
|
OFBIZ-1525
XML Entity Injection in webtools/control/entityImport
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-11006
|
OFBIZ-1525
Create customer request screen breaks when entering special characters (CVE-2019-10074)
|
Scott Gray
|
Scott Gray
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10920
|
OFBIZ-1525
Update Tomcat to 9.0.18 due to CVE-2019-0232
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10873
|
OFBIZ-1525
Update Tomcat to 9.0.16 due to CVE-2019-0199
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10843
|
OFBIZ-1525
Replace SHA-1 by SHA-512
|
Unassigned
|
Jacques Le Roux
|
|
Open |
Unresolved
|
|
|
|
|
|
|
|
OFBIZ-10837
|
OFBIZ-1525
Improve ObjectInputStream class (CVE-2019-0189)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-10828
|
OFBIZ-1525
Html escaping missing for portalPageId parameter of Help button
|
Deepak Dixit
|
Deepak Dixit
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10770
|
OFBIZ-1525
Update Apache commons-fileupload to last version (CVE-2019-0189)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-10678
|
OFBIZ-1525
CLONE - Check embedded Javascript libs vulnerabilities using retire.js
|
Aditya Sharma
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10435
|
OFBIZ-1525
improve XML parsing with more restrictive settings
|
Taher Alkhateeb
|
Taher Alkhateeb
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10427
|
OFBIZ-1525
Add a mean to handle CSRF (CVE-2019-0235)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Duplicate
|
|
|
|
|
|
|
|
OFBIZ-10420
|
OFBIZ-1525
Session fixation issue
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-10415
|
OFBIZ-1525
Update Solr and Lucene from 7.2.1 to Solr 7.3.1 for security reason (CVE-2018-8010)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-10286
|
OFBIZ-1525
JSESSIONID root cookie not protected (httponly)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Cannot Reproduce
|
|
|
|
|
|
|
|
OFBIZ-10085
|
OFBIZ-1525
Prevent the possible return of the Robot attack
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Incomplete
|
|
|
|
|
|
|
|
OFBIZ-9973
|
OFBIZ-1525
[FB] Find Security Bugs
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-9966
|
OFBIZ-1525
Secure the login.secret_key_string
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Won't Fix
|
|
|
|
|
|
|
|
OFBIZ-9865
|
OFBIZ-1525
Enhance cookies security
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Won't Fix
|
|
|
|
|
|
|
|
OFBIZ-9313
|
OFBIZ-1525
Update Tomcat to 8.0.42 because of CVE-2017-5648
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-9310
|
OFBIZ-1525
On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs
|
Jacques Le Roux
|
Aditya Sharma
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-9269
|
OFBIZ-1525
Check embedded Javascript libs vulnerabilities using retire.js
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-9198
|
OFBIZ-1525
Missing file results in error
|
Jacques Le Roux
|
Ingo Wolfmayr
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-9124
|
OFBIZ-1525
Upgrade Tomcat to 8.0.39
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-7373
|
OFBIZ-1525
Update Shiro to 1.2.5 (CVE-2016-4437)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-7348
|
OFBIZ-1525
Upgrade Tomcat to 8.5.3 (or 8.0.36)
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-7136
|
OFBIZ-1525
Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-7070
|
OFBIZ-1525
Pagination Problem in Find Invoices By Due Date
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-7028
|
OFBIZ-1525
Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-7026
|
OFBIZ-1525
Remove duplicated jars under solr component
|
Shi Jinghai
|
Shi Jinghai
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6959
|
OFBIZ-1525
Update XStream lib to prevent XML External Entity (XXE) Processing
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6942
|
OFBIZ-1525
Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6926
|
OFBIZ-1525
Replace the contrast Java agent by the notsoserial Java agent
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6916
|
OFBIZ-1525
Upgrade Axis2 to 1.7.1
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6915
|
OFBIZ-1525
Upgrade Tomcat to 8.0.33
|
Jacques Le Roux
|
Chatree Srichart
|
|
Closed |
Fixed
|
|
|
24/Feb/16
|
|
|
|
|
OFBIZ-6913
|
OFBIZ-1525
Update Tomcat to 7.0.68
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6905
|
OFBIZ-1525
Update Xalan libs to version 2.7.2 because of CVE-2014-0107
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6886
|
OFBIZ-1525
Hide sessionId in logs by default, show them using a properties
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-6879
|
OFBIZ-1525
Remove forceHttpSession feature
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-6872
|
OFBIZ-1525
Remove all sessionsIds put in URLs
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-6871
|
OFBIZ-1525
Get rid of the session-cookie-accepted feature
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-6867
|
OFBIZ-1525
Remove forceManualJsessionid feature
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-6849
|
OFBIZ-1525
Use only HTTPS in OFBiz
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Implemented
|
|
|
|
|
|
|
|
OFBIZ-6769
|
OFBIZ-1525
The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties
|
Jacques Le Roux
|
Supachai Chaima-ngua (Tor)
|
|
Closed |
Invalid
|
|
|
|
|
|
|
|
OFBIZ-6766
|
OFBIZ-1525
Secure HTTP headers
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6756
|
OFBIZ-1525
Remove useless and vulnerable hadoop-hdfs-2.2.0.jar
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6755
|
OFBIZ-1525
Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1
|
Shi Jinghai
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6754
|
OFBIZ-1525
Update Spring Framework
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6752
|
OFBIZ-1525
Updates Tomcat to 7.0.65
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6751
|
OFBIZ-1525
POI security fix
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6726
|
OFBIZ-1525
Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170]
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-6655
|
OFBIZ-1525
Add session tracking mode and make cookie secure
|
Jacques Le Roux
|
Deepak Dixit
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6568
|
OFBIZ-1525
Update Groovy to 2.4.5 version [CVE-2016-2170]
|
Jacopo Cappellato
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-6506
|
OFBIZ-1525
XSS vulnerability in OFBiz forms and screens especially in display-entity component
|
Jacques Le Roux
|
Lilian Iatco
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-5881
|
OFBIZ-1525
Update embedded Tomcat to 7.0.57
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Done
|
|
|
|
|
|
|
|
OFBIZ-5848
|
OFBIZ-1525
Poodle-disable sslv3
|
Jacques Le Roux
|
Poodle Fixer
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-5801
|
OFBIZ-1525
Upgrade Axis2 to 1.6.3
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-5357
|
OFBIZ-1525
Analysis of code vulnerabilities
|
Unassigned
|
Sumit Pandit
|
|
Closed |
Incomplete
|
|
|
|
|
|
|
|
OFBIZ-4958
|
OFBIZ-1525
Additional Validation for Password : Make password pattern driven
|
Jacques Le Roux
|
Sumit Pandit
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-4361
|
OFBIZ-1525
Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
|
Jacques Le Roux
|
mz4wheeler
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-3424
|
OFBIZ-1525
Upgrade Tomcat version to 6.0.24
|
Erwan de Ferrieres
|
Erwan de Ferrieres
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-3257
|
OFBIZ-1525
Security concern in the way to populate parameters map in the context
|
David E. Jones
|
Patrick Antivackis
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-3006
|
OFBIZ-1525
entity encrypt columns not using encryption salt value?
|
Adam Heath
|
chris snow
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-2747
|
OFBIZ-1525
Security : The remote web server is prone to cross-site scripting attacks.
|
Scott Gray
|
Alexandre Mazari
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-2729
|
OFBIZ-1525
special security should be required for setting passwords
|
Unassigned
|
Si Chen
|
|
Open |
Unresolved
|
|
|
|
|
|
|
|
OFBIZ-2449
|
OFBIZ-1525
Secure targets in widget forms
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Not A Problem
|
|
|
|
|
|
|
|
OFBIZ-2272
|
OFBIZ-1525
Secure URLs exceptions
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Not A Problem
|
|
|
|
|
|
|
|
OFBIZ-2256
|
OFBIZ-1525
Secure URLs
|
Jacques Le Roux
|
Jacques Le Roux
|
|
Closed |
Won't Fix
|
|
|
|
|
|
|
|
OFBIZ-1959
|
OFBIZ-1525
Remaining XSRF issues
|
Jacques Le Roux
|
Michele Orru
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-1690
|
OFBIZ-1525
Set widget default url encode value to true
|
Jacques Le Roux
|
Bilgin Ismet Ibryam
|
|
Closed |
Not A Problem
|
|
|
|
|
|
|
|
OFBIZ-1193
|
OFBIZ-1525
html code is not sanitized in all the text input field
|
David E. Jones
|
Vikrant Rathore
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-1151
|
OFBIZ-1525
Passwords are not salted
|
Unassigned
|
Wickersheimer Jeremy
|
|
Closed |
Not A Problem
|
|
|
|
|
|
|
|
OFBIZ-1106
|
OFBIZ-1525
Passwords in POS are shown in clear text
|
Jacques Le Roux
|
Chris Lombardi
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-260
|
OFBIZ-1525
Cross Site Scripting Vulnerability (XSS)
|
David E. Jones
|
Marco Risaliti
|
|
Closed |
Fixed
|
|
|
|
|
|
|
|
OFBIZ-178
|
OFBIZ-1525
Cross site scripting vulnerability in Forum
|
David E. Jones
|
Eriks Dobelis
|
|
Closed |
Fixed
|
|
|
|
|