https://connect.hyland.com/t5/alfresco-archive/ae-lt-5-11-vulnerability-xss-attack-update-possible/m-p/134170#M94184 <HTML><HEAD></HEAD><BODY><SPAN>Hi girls and guys using activiti.</SPAN><BR /><SPAN>i read that vaadin framework, that is used by design of activiti explorer, was updated to</SPAN><BR /><SPAN> 6.8.8 version (</SPAN><A href="https://vaadin.com/download/release/6.8/6.8.8/release-notes.html#security-fixes" rel="nofollow noopener noreferrer">Version 6.8.8</A><SPAN> built on 2013-01-29.). This version </SPAN><A href="https://vaadin.com/download/release/6.8/6.8.8/release-notes.html#security-fixes" rel="nofollow noopener noreferrer">contains the security fix</A><BR /><BLOCKQUOTE class="jive-quote">Vaadin 6.8.8 fixes a security issue discovered during an internal review.<BR /><BR />Allowing unfiltered user input as the key in a map used for communication in a Vaadin UI component may enable a cross-site scripting (XSS) attack on a Vaadin application. Specifically, in certain cases it is possible to use a specially-crafted debug ID to inject arbitrary Javascript to be executed in an end user's browser. This requires specific actions both from the application developer and from the end user.</BLOCKQUOTE><SPAN>The activiti explorer, contained into activiti stack 5.10 and 5.11, uses…the vaadin-6.6.2.jar, (it was </SPAN><A href="https://vaadin.com/de/forum/-/message_boards/view_message/518841" rel="nofollow noopener noreferrer">available</A><SPAN> at 15. juni</SPAN><STRONG> 2011</STRONG><SPAN>! )</SPAN><BR /><BR /><SPAN>Is it possible to update to vaadin-6.8.8 version? The Activi Explorer Release 5.11 was in december 2012, but it still uses "old" vaadin jar…</SPAN></BODY></HTML> Wed, 13 Feb 2013 22:06:55 GMT udoderk 2013-02-13T22:06:55Z https://connect.hyland.com/t5/alfresco-archive/ae-lt-5-11-vulnerability-xss-attack-update-possible/m-p/134170#M94184 Hi girls and guys using activiti.i read that vaadin framework, that is used by design of activiti explorer, was updated to 6.8.8 version (Version 6.8.8 built on 2013-01-29.). This version contains the security fixVaadin 6.8.8 fixes a security issue discovered during an internal review.Allowing unfil Wed, 13 Feb 2013 22:06:55 GMT https://connect.hyland.com/t5/alfresco-archive/ae-lt-5-11-vulnerability-xss-attack-update-possible/m-p/134170#M94184 udoderk 2013-02-13T22:06:55Z https://connect.hyland.com/t5/alfresco-archive/ae-lt-5-11-vulnerability-xss-attack-update-possible/m-p/134171#M94185 <HTML><HEAD></HEAD><BODY><SPAN>Yes correct, we should update. I'll take the necessary steps. Thanks for the heads up.</SPAN><BR /><BR /><SPAN>In theory, it is a drop-in replacement of the jar.</SPAN></BODY></HTML> Thu, 14 Feb 2013 06:37:45 GMT https://connect.hyland.com/t5/alfresco-archive/ae-lt-5-11-vulnerability-xss-attack-update-possible/m-p/134171#M94185 jbarrez 2013-02-14T06:37:45Z