Old DWR causes CSRF, XSS in Admin Console

Description

We're currently using DWR 1.1.4, which has weaknesses in terms of modern web security. An update to 3.0.2 should be possible, but is a substantial piece of work and impacts a number of cases (Monitoring Plugin and Kraken as well as core).

Environment

None

Subtasks

100% Done

Linked work items

is related to

OF-836

Multiple Reflected XSS Vulnerabilities in Admin Console

OF-1251

Admin Console Security

OF-1483

Monitoring plugin: ClassNotFound at startup

Activity

Show:

Daryl Herzmann
November 13, 2017 at 6:31 PM

change was merged, assumed as resolved

Resize issue view side panel

Fixed

Details

Assignee

Dave Cridland

Reporter

Dave Cridland

Fix versions

4.2.0

Priority

Major

Created December 21, 2016 at 12:14 PM

Updated February 13, 2018 at 8:40 PM

Resolved November 13, 2017 at 6:31 PM