Hello,
I identified several vulnerabilities in dotCMS v5.1.1 due to vulnerable
open source dependencies.
Full security write up:
http://secureli.com/dotcms-v5-1-1-vulnerable-open-source-dependencies/
The details:
----
/ROOT/html/js/scriptaculous/prototype.js
↳ prototypejs 1.5.0
prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE:
CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/
ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
because of Object.prototype pollution;
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js
↳ bootstrap 3.2.0
bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236,
summary: XSS in data-template, data-content and data-title properties of
tooltip/popover, CVE: CVE-2019-8331;
https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue:
20184, summary: XSS in data-target property of scrollspy, CVE:
CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
medium; issue: 20184, summary: XSS in collapse data-parent attribute,
CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary: XSS in data-container property
of tooltip, CVE: CVE-2018-14042;
https://github.com/twbs/bootstrap/issues/20184
ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js
↳ jquery 3.3.1
jquery 3.3.1 has known vulnerabilities: severity: low; CVE:
CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
because of Object.prototype pollution;
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
because of Object.prototype pollution;
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js
↳ jquery 2.1.1.min
jquery 2.1.1.min has known vulnerabilities: severity: medium; issue:
2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
because of Object.prototype pollution;
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
ROOT/html/js/dojo/custom-build/dojo/dojo.js
↳ dojo 1.8.6
dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307;
https://github.com/dojo/dojo/pull/307
https://dojotoolkit.org/blog/dojo-1-14-released
ROOT/html/js/tinymce/js/tinymce/tinymce.min.js
↳ tinyMCE 4.1.6
tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss
issues with media plugin not properly filtering out some script
attributes.; https://www.tinymce.com/docs/changelog/ severity: medium;
summary: FIXED so script elements gets removed by default to prevent
possible XSS issues in default config implementations;
https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED
so links with xlink:href attributes are filtered correctly to prevent
XSS.; https://www.tinymce.com/docs/changelog/