AnsweredAssumed Answered

AE <= 5.11 vulnerability - xss attack. Update possible???

Question asked by udoderk on Feb 13, 2013
Latest reply on Feb 14, 2013 by jbarrez
Hi girls and guys using activiti.
i read that vaadin framework, that is used by design of activiti explorer, was updated to
6.8.8 version (Version 6.8.8 built on 2013-01-29.). This version contains the security fix
Vaadin 6.8.8 fixes a security issue discovered during an internal review.

Allowing unfiltered user input as the key in a map used for communication in a Vaadin UI component may enable a cross-site scripting (XSS) attack on a Vaadin application. Specifically, in certain cases it is possible to use a specially-crafted debug ID to inject arbitrary Javascript to be executed in an end user's browser. This requires specific actions both from the application developer and from the end user.
The activiti explorer, contained into activiti stack 5.10 and 5.11, uses…the vaadin-6.6.2.jar, (it was available at 15. juni 2011! )

Is it possible to update to vaadin-6.8.8 version? The Activi Explorer Release 5.11 was in december 2012, but it still uses "old" vaadin jar…

Outcomes