Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Security Vulnerability CVE-2020-9351,CVE-2020-9352,CVE-2020-9353

    Recently one of our product customer did a security scan that resulted in security vulnerability on Smartclient, mention in the links below.
    https://www.cvedetails.com/cve/CVE-2020-9351/
    https://www.cvedetails.com/cve/CVE-2020-9352/
    https://www.cvedetails.com/cve/CVE-2020-9353/
    All the links above point that vulnerability is present with smartclient 12.1.
    My query is, is this vulnerability resolved in any later version of smartclient? If yes, what exact version has addressed it? And correspondingly, which version of SmartGWT to use.

    Thanks in advance.

    #2
    These are fake vulnerabilities filed by a company that was attempting to sell services to Isomorphic.

    In all 3 cases, the "vulnerabilities" reported are intentional functionality that, at deployment time, is enabled only for admins, and only if a customer specifically chooses to deploy it (see Tools Deployment).

    So, essentially, it is as if someone reported that there is a vulnerability in the desktop installed version of Microsoft Word, because once installed, Microsoft Word can read and write files. Obviously, reading and writing files is what Microsoft Word is supposed to do, so reporting this as a vulnerability is completely absurd.

    No legit security company would make such a report, or even become confused on this point. We did painstakingly explain to this company that the vulnerabilities were false and that we were not interested in purchasing their services, but they submitted them publicly anyway..

    Please do not further feed the trolls, as, the best outcome here is that this company is never able to submit CVE reports again.

    Comment


      #3
      Can you please confirm if your previously stated response for these CVEs are still applicable in the latest version of the product?

      Comment


        #4
        Yes, these continue to be fake vulnerabilities reported by scam artists, not of any concern to anyone.

        Comment


          #5
          Thanks for the confirmation :-)

          Comment

          Working...
          X