Add files via upload by antonychiu2 · Pull Request #7 · antonychiu2/opencms

antonychiu2 · 2025-04-10T14:10:50Z

No description provided.

github-actions · 2025-04-10T14:22:13Z

No security issues were found ✅

Awesome! No vulnerabilities were found by CodeQL in the changes made as part of this PR.
Please notice there are issues in this repo that are unrelated to this PR.

antonychiu2 · 2025-04-10T15:24:39Z

Checkmarx One – Scan Summary & Details – f65df73a-6295-4e06-8a83-2d4e2638607c

New Issues (33)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2024-45216	Maven-org.apache.solr:solr-core-8.11.1	details Recommended version: 9.8.0 Description: An Improper Authentication vulnerability exists in Apache Solr. Solr instances using the "PKIAuthenticationPlugin," which is enabled by default whe... Attack Vector: NETWORK Attack Complexity: LOW `ID: vI%2BmL5o3OSTmJk6Z4rNviFsVjoFGzgVE9TTvd%2B9wZPI%3D` Vulnerable Package
CVE-2025-24814	Maven-org.apache.solr:solr-core-8.11.1	details Recommended version: 9.8.0 Description: Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetSe... Attack Vector: NETWORK Attack Complexity: LOW `ID: vqvBMRuCDFRL26w1dXDN%2B9JWXnq5AFogC0cqVCy51Ko%3D` Vulnerable Package
CVE-2024-45217	Maven-org.apache.solr:solr-core-8.11.1	details Recommended version: 9.8.0 Description: Insecure Default Initialization of Resource vulnerability in Apache Solr. New "ConfigSets" that are created via a "Restore command", which copy a "... Attack Vector: NETWORK Attack Complexity: LOW `ID: sQwvfEDHExsp%2BNWbaYNd7Wiajd1I%2FM7DnowgU3%2FFg1Y%3D` Vulnerable Package
CVE-2024-47554	Maven-commons-io:commons-io-2.11.0	details Recommended version: 2.14.0 Description: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The "org.apache.commons.io.input.XmlStreamReader" class may excessively consu... Attack Vector: NETWORK Attack Complexity: LOW `ID: vqZQbYqw9AC%2FsBx1K4ELYi1%2FWiEOhl5LOF2z5JcJ%2FQI%3D` Vulnerable Package
CVE-2024-52012	Maven-org.apache.solr:solr-core-8.11.1	details Recommended version: 9.8.0 Description: Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a... Attack Vector: NETWORK Attack Complexity: LOW `ID: ndB7K2lkctD35h%2FJD0kBajm7hqmh1r%2FLts9sNB0Ew%2Fk%3D` Vulnerable Package
CVE-2025-23184	Maven-org.apache.cxf:cxf-core-3.5.5	details Recommended version: 3.5.10 Description: A potential Denial-of-Service (DoS) vulnerability is present in Apache CXF versions prior to 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the `Cach... Attack Vector: NETWORK Attack Complexity: LOW `ID: BS2N2U1O3Z1fzPYwudPu%2FJBtRr%2BFgkdUNRfqZi6q2p8%3D` Vulnerable Package
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 97	details The method embeds untrusted data in generated output with getBeforeData, at line 97 of /src/org/opencms/jsp/userdata/function-example.jsp. This un... `ID: p4XH044wXlpKVNoEoYDACfmS11k%3D` Attack Vector
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 70	details The method embeds untrusted data in generated output with getViewText, at line 70 of /src/org/opencms/jsp/userdata/function-example.jsp. This untr... `ID: hUbJWNeAU3mOoZOwzz69jWnA4rQ%3D` Attack Vector
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 67	details The method embeds untrusted data in generated output with getViewFailure, at line 67 of /src/org/opencms/jsp/userdata/function-example.jsp. This u... `ID: yE5%2B8flve%2BuyKK6suaHRn65lEFQ%3D` Attack Vector
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 64	details The method embeds untrusted data in generated output with getSuccess, at line 64 of /src/org/opencms/jsp/userdata/function-example.jsp. This untru... `ID: oAG8r9y3%2FitlbP4C3nBAxHbx33k%3D` Attack Vector
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 62	details The method embeds untrusted data in generated output with getAfterForm, at line 62 of /src/org/opencms/jsp/userdata/function-example.jsp. This unt... `ID: Igr%2BlyHm%2FmHYvVd3hgqB31WZFqA%3D` Attack Vector
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 44	details The method embeds untrusted data in generated output with getBeforeForm, at line 44 of /src/org/opencms/jsp/userdata/function-example.jsp. This un... `ID: eU90mYyL8vKCKyBQs8%2F122%2BUVkU%3D` Attack Vector
Reflected_XSS	/src/org/opencms/jsp/userdata/function-example.jsp: 41	details The method embeds untrusted data in generated output with getFailure, at line 41 of /src/org/opencms/jsp/userdata/function-example.jsp. This untru... `ID: MATx7QYt%2FfinIpwurQEN%2BT1K4BY%3D` Attack Vector
Absolute_Path_Traversal	/webapp/WEB-INF/updatedata/step_4_module_selection.jsp: 3	details Method at line 3 of /webapp/WEB-INF/updatedata/step_4_module_selection.jsp gets dynamic data from the getParameterMap element. This element’s valu... `ID: 4OU1sWWdfcQltXvCvAS5pLhUo2E%3D` Attack Vector
CVE-2024-12798	Maven-ch.qos.logback:logback-core-1.2.3	details Recommended version: 1.3.15 Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code... Attack Vector: LOCAL Attack Complexity: LOW `ID: fZ77jpSW4z%2FoVAvQ0k0LgxMgJKUj%2FenNV4P2f1%2F%2FGRM%3D` Vulnerable Package
CVE-2024-12798	Maven-ch.qos.logback:logback-classic-1.2.3	details Recommended version: 1.3.15 Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code... Attack Vector: LOCAL Attack Complexity: LOW `ID: I5iPONAYh2iCecLE6UfRbZ36XTqm%2BS4LJ%2FMax7i28hM%3D` Vulnerable Package
CVE-2024-47068	Npm-rollup-1.32.1	details Recommended version: 2.79.2 Description: Rollup is a module bundler for JavaScript. In rollup versions prior to 2.79.2, 3.x prior to 3.29.5, and 4.x prior to 4.22.4 are susceptible to a DO... Attack Vector: NETWORK Attack Complexity: LOW `ID: ikMZrwzlpP3OyzYOL8sHONOxzZBGWpP9dcrw%2BUecrxg%3D` Vulnerable Package
CVE-2024-6762	Maven-org.eclipse.jetty:jetty-servlets-9.4.50.v20221201	details Recommended version: 9.4.54.v20240208 Description: Unauthenticated users can exploit Jetty PushSessionCacheFilter to launch remote Denial-of-Service (DoS) attacks by exhausting the server's memory. ... Attack Vector: NETWORK Attack Complexity: LOW `ID: EBtsIkOiTpCqeDsWkAxcVgs1pDDQQPLdt5dsTS7kpJc%3D` Vulnerable Package
CVE-2024-6763	Maven-org.eclipse.jetty:jetty-server-9.4.50.v20221201	details Recommended version: 9.4.57.v20241219 Description: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. It includes a utility class, 'HttpURI', for URI/URL pars... Attack Vector: NETWORK Attack Complexity: LOW `ID: Hfpyu7yuPyLeqryKzImBD1MyQKW%2FsdoAIuvyGNYq%2BOw%3D` Vulnerable Package
CVE-2024-6763	Maven-org.eclipse.jetty:jetty-http-9.4.50.v20221201	details Recommended version: 9.4.57.v20241219 Description: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. It includes a utility class, 'HttpURI', for URI/URL pars... Attack Vector: NETWORK Attack Complexity: LOW `ID: iC2LVHqOyPQtEqSW2lxy0MsWH%2BA85Mmafq4Te5N8zAI%3D` Vulnerable Package
CVE-2024-8184	Maven-org.eclipse.jetty:jetty-server-9.4.50.v20221201	details Recommended version: 9.4.57.v20241219 Description: There exists a security vulnerability in Jetty's "ThreadLimitHandler.getRemote()" which can be exploited by unauthorized users to cause a remote De... Attack Vector: NETWORK Attack Complexity: LOW `ID: omEK3NxXcVJCWOM2nSYUWRpC2vDarz2UKEXmTw8KkqY%3D` Vulnerable Package
CVE-2024-9823	Maven-org.eclipse.jetty:jetty-servlets-9.4.50.v20221201	details Recommended version: 9.4.54.v20240208 Description: There exists a security vulnerability in Jetty's "DosFilter" which can be exploited by unauthorized users to cause remote Denial-of-Service (DoS) a... Attack Vector: NETWORK Attack Complexity: LOW `ID: FoPmdc8uBrT%2BDHT%2FeddPQpp5hKdANeFL17R8BWDADbo%3D` Vulnerable Package
Improper_Restriction_of_Stored_XXE_Ref	/src/org/opencms/util/CmsFileUtil.java: 720	details The loads and parses XML using read, at line 860 of /src/org/opencms/xml/CmsXmlUtils.java. This XML was received earlier from user input, bytes, ... `ID: fRKQPSjg7Gse7xZM8tNq62gOKTE%3D` Attack Vector
Improper_Restriction_of_Stored_XXE_Ref	/test/org/opencms/configuration/TestFullWorkplaceConfiguration.java: 102	details The loads and parses XML using read, at line 860 of /src/org/opencms/xml/CmsXmlUtils.java. This XML was received earlier from user input, FileInp... `ID: 5bB%2B16BdTt9%2FogAdFoAew7Ik63Y%3D` Attack Vector
Improper_Restriction_of_Stored_XXE_Ref	/test/org/opencms/configuration/TestConfiguration.java: 100	details The loads and parses XML using read, at line 860 of /src/org/opencms/xml/CmsXmlUtils.java. This XML was received earlier from user input, FileInp... `ID: %2F3fc8E7%2BYGFkDPxOOd%2BmeyqtI3Y%3D` Attack Vector
Privacy_Violation	/src/org/opencms/gwt/CmsCoreService.java: 690	details Method at line 690 of /src/org/opencms/gwt/CmsCoreService.java sends user information outside the application. This may constitute a Privacy Viola... `ID: wGjuh9mukYusQ2Hp%2BErCPbxWPnM%3D` Attack Vector
Unchecked_Input_for_Loop_Condition	/src/org/opencms/ade/galleries/CmsGalleryService.java: 740	details Method at line 740 of /src/org/opencms/ade/galleries/CmsGalleryService.java gets user input from element locale . This element’s value flows throu... `ID: 4%2Bc%2Fwje7wWtst9FO5d%2B07UPgtKY%3D` Attack Vector
CVE-2024-12801	Maven-ch.qos.logback:logback-core-1.2.3	details Recommended version: 1.3.15 Description: Server-Side Request Forgery (SSRF) in "SaxEventRecorder" by QOS.CH logback on the Java platform, allows an attacker to forge requests by compromisi... Attack Vector: LOCAL Attack Complexity: LOW `ID: gZj6tKJbHeFKLwxXbRuruV6WlmvpRrTMAQHtaMbJGd4%3D` Vulnerable Package
Log_Forging	/src/org/opencms/gwt/CmsCoreService.java: 584	details Method at line 584 of /src/org/opencms/gwt/CmsCoreService.java gets user input from element cms. This element’s value flows through the code witho... `ID: PnUyjZ9Ejd80IcYxpXhWiQe2gAw%3D` Attack Vector
Log_Forging	/src/org/opencms/flex/CmsFlexController.java: 283	details Method at line 283 of /src/org/opencms/flex/CmsFlexController.java gets user input from element getHeader. This element’s value flows through the ... `ID: aAgmE8sJTiD7DaXmwpJGdq4%2BHRo%3D` Attack Vector
Log_Forging	/src/org/opencms/flex/CmsFlexController.java: 284	details Method at line 284 of /src/org/opencms/flex/CmsFlexController.java gets user input from element getHeader. This element’s value flows through the ... `ID: klBSlrZFbaKbwS18JFlnlcwy8kQ%3D` Attack Vector
Log_Forging	/src/org/opencms/security/CmsDefaultAuthorizationHandler.java: 298	details Method at line 298 of /src/org/opencms/security/CmsDefaultAuthorizationHandler.java gets user input from element getRequestURI. This element’s val... `ID: 7f8JWOVP9MFaeCVqh0LYU8qxv70%3D` Attack Vector
Log_Forging	/src/org/opencms/ade/publish/CmsPublishService.java: 139	details Method at line 139 of /src/org/opencms/ade/publish/CmsPublishService.java gets user input from element name. This element’s value flows through th... `ID: Xb6%2BOe%2FNJqVT6GJAvJCkaWwTaJo%3D` Attack Vector

Fixed Issues (67)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2016-10707~~	Npm-jquery-1.8.0
	~~Cx89601373-08db~~	Npm-debug-3.2.7
	~~Cx89601373-08db~~	Npm-debug-2.6.9
	~~Cxf6e7f2c1-dc59~~	Npm-yauzl-2.10.0
	~~CVE-2020-11022~~	Npm-jquery-1.8.0
	~~CVE-2022-23494~~	Nuget-TinyMCE-5.10.5
	~~CVE-2024-4067~~	Npm-micromatch-4.0.7
	~~Improper_Restriction_of_Stored_XXE_Ref~~	/src/org/opencms/xml/CmsXmlUtils.java: 860
	~~Improper_Restriction_of_Stored_XXE_Ref~~	/src/org/opencms/configuration/CmsConfigurationManager.java: 149
	~~Improper_Restriction_of_Stored_XXE_Ref~~	/src/org/opencms/ade/upload/CmsUploadBean.java: 271
	~~Improper_Restriction_of_Stored_XXE_Ref~~	/src/org/opencms/configuration/CmsConfigurationManager.java: 525
	~~Improper_Restriction_of_Stored_XXE_Ref~~	/test/org/opencms/module/CmsModuleResourceChecker.java: 118
	~~Privacy_Violation~~	/src/org/opencms/security/CmsPasswordInfo.java: 168
	~~Heap_Inspection~~	/src/org/opencms/main/OpenCmsCore.java: 281
	~~Heap_Inspection~~	/src/org/opencms/security/CmsPasswordInfo.java: 51
	~~Heap_Inspection~~	/src/org/opencms/security/CmsPasswordInfo.java: 49
	~~Heap_Inspection~~	/src-setup/org/opencms/setup/CmsSetupBean.java: 265
	~~Heap_Inspection~~	/src-setup/org/opencms/setup/CmsAutoSetupProperties.java: 228
	~~Heap_Inspection~~	/src-setup/org/opencms/setup/CmsAutoSetupProperties.java: 165
	~~Heap_Inspection~~	/src/org/opencms/importexport/A_CmsImport.java: 884
	~~Heap_Inspection~~	/src/org/opencms/db/CmsLoginManager.java: 643
	~~Heap_Inspection~~	/src/org/opencms/ui/login/CmsPasswordForm.java: 63
	~~Heap_Inspection~~	/src/org/opencms/ui/login/CmsPasswordForm.java: 75
	~~Heap_Inspection~~	/src/org/opencms/ui/login/CmsPasswordForm.java: 69
	~~Heap_Inspection~~	/src/org/opencms/ui/login/CmsChangePasswordDialog.java: 99
	~~Heap_Inspection~~	/src/org/opencms/configuration/CmsSystemConfiguration.java: 694
	~~Heap_Inspection~~	/src-gwt/org/opencms/gwt/client/ui/CmsChangePasswordWidget.java: 81
	~~Heap_Inspection~~	/src-gwt/org/opencms/gwt/client/ui/CmsChangePasswordWidget.java: 85
	~~Heap_Inspection~~	/src-gwt/org/opencms/gwt/client/ui/CmsChangePasswordWidget.java: 93
	~~Heap_Inspection~~	/test/org/opencms/test/OpenCmsTestCase.java: 156
	~~Heap_Inspection~~	/src/org/opencms/webdav/CmsDavSessionProvider.java: 73
	~~Heap_Inspection~~	/src/org/opencms/ui/login/CmsLoginController.java: 107
	~~Heap_Inspection~~	/src/org/opencms/security/CmsDefaultAuthorizationHandler.java: 339
	~~Heap_Inspection~~	/src/org/opencms/mail/CmsMailHost.java: 44
	~~Heap_Inspection~~	/src/org/opencms/importexport/CmsImportVersion7.java: 468
	~~Heap_Inspection~~	/src/org/opencms/importexport/CmsImportVersion10.java: 573
	~~Heap_Inspection~~	/src/org/opencms/importexport/A_CmsImport.java: 884
	~~Heap_Inspection~~	/src/org/opencms/db/CmsLoginManager.java: 201
	~~Heap_Inspection~~	/src-modules/org/opencms/workplace/tools/accounts/CmsUserDataImportList.java: 112
	~~Heap_Inspection~~	/src-modules/org/opencms/workplace/tools/accounts/CmsUserDataImportDialog.java: 77
	~~Heap_Inspection~~	/src-modules/org/opencms/workplace/commons/CmsPreferences.java: 255
	~~Heap_Inspection~~	/src-modules/org/opencms/workplace/commons/CmsPreferences.java: 252
	~~Heap_Inspection~~	/src-modules/org/opencms/workplace/CmsLogin.java: 170
	~~Heap_Inspection~~	/src/org/opencms/file/CmsUser.java: 107
	~~Heap_Inspection~~	/src-gwt/org/opencms/gwt/client/super_src/com/google/gwt/http/client/RequestBuilder.java: 97
	~~Password_In_Comment~~	/src/org/opencms/security/CmsAdvancedPasswordHandler.java: 96
	~~Unpinned Actions Full Length Commit SHA~~	/semgrep-mobb.yaml: 39
	~~Use_Of_Hardcoded_Password~~	/src/org/opencms/main/I_CmsEventListener.java: 485
	~~Use_Of_Hardcoded_Password_In_Config~~	/src/org/opencms/ui/apps/messages.properties: 1362
	~~Use_Of_Hardcoded_Password_In_Config~~	/src/org/opencms/ui/apps/messages.properties: 1360
	~~Use_Of_Hardcoded_Password_In_Config~~	/src/org/opencms/ui/apps/messages.properties: 1249
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.postgresql/opencms.properties: 46
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.postgresql/opencms.properties: 19
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.oracle_8/opencms.properties: 46
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.oracle_8/opencms.properties: 19
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.oracle/opencms.properties: 46
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.oracle/opencms.properties: 19
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.mysql/opencms.properties: 46
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.mysql/opencms.properties: 19
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.db2/opencms.properties: 46
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.db2/opencms.properties: 19
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.as400/opencms.properties: 46
	~~Use_Of_Hardcoded_Password_In_Config~~	/test/data/WEB-INF/config.as400/opencms.properties: 19
	~~Use_Of_Hardcoded_Password_In_Config~~	/src-modules/org/opencms/workplace/tools/accounts/messages.properties: 801
	~~Use_Of_Hardcoded_Password_In_Config~~	/src-modules/org/opencms/workplace/tools/accounts/messages.properties: 179
	~~Use_Of_Hardcoded_Password_In_Config~~	/src/org/opencms/db/generic/query.properties: 1745
	~~Use_Of_Hardcoded_Password_In_Config~~	/src-modules/org/opencms/workplace/tools/accounts/messages.properties: 779

Add files via upload

fe1b9ab

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add files via upload#7

Add files via upload#7
antonychiu2 wants to merge 1 commit intomasterfrom
antonychiu2-patch-3

antonychiu2 commented Apr 10, 2025

Uh oh!

github-actions bot commented Apr 10, 2025

Uh oh!

antonychiu2 commented Apr 10, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

antonychiu2 commented Apr 10, 2025

Uh oh!

github-actions bot commented Apr 10, 2025

No security issues were found ✅

Uh oh!

antonychiu2 commented Apr 10, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant