Could plupload v2.1.2 cause a security vulnerability in Bonita?

1
0
-1

Hello,

We have noticed that Plupload - multi-runtime File Uploader v2.1.2 is used in Bonita.

/server/webapps/bonita/portal/scripts/ext/plupload.full.min.js

Also, we have found that versions before 2.1.9 have security vulnerability allowing remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack (link below):

https://www.cvedetails.com/vulnerability-list/vendor_id-11933/product_id-22269/Plupload-Plupload.html

Could you please share with me more information about this point? Is this security threat valid for Bonita as well? If yes, could Plupload be updated to a newer version?

Platform:

  • Bonita-Subscription-7.9.4

Thanks a lot,

1 answer

1
+2
-1
This one is the BEST answer!

Hello,

First of all I can tell you that plupload is only used in the admin profile of the portal in some pages like the admin process list (in order to upload a process). So for the non-admin end users and for the process forms another library is used.
Then those pages are currently been reworked and plupload will soon be removed from Bonita portal as it will no longer be used .

That being said, the vulnerability you are mentioning seems to be located in the swf file (https://www.plupload.com/punbb/viewtopic.php?pid=28690), which, AFAIK, we don't use. So, if you prefer, you can also delete Moxie.swf from bonita.war as mentioned in plupload forum.

Notifications