Open mosess opened 3 years ago
swfree
commented
3 years ago Hi @mosess, thanks for reporting this issue. We'll take a look into the security vulnerability and get back to you soon with an update on when we can get this fixed.
Regarding the version, you'll want to use 4.2.3. The 5.0.0 version on Maven looks like it may have been a mistake that we'll look into removing.
mosess
commented
3 years ago Hey Any news about this one? I saw there's a merged fix, is there a plan to release an updated SDK version with it?
arash-autodesk
commented
11 months ago Hey Gang (@swfree ) Any update on this. was this fixed release?
I don't see any more releases after Mar 18 2019 https://github.com/box/box-android-sdk/releases
We're using the Data Theorem mobile security too and getting the following high priority alert:
Google Play Blocker: Cross App Scripting Vulnerability The following Java or Kotlin Activities contain WebViews that are vulnerable to Cross App Scripting: com.box.androidsdk.content.auth.OAuthActivity
WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious Apps into executing JavaScript code in an unsafe context.
Is this a known issue? is there a plan for getting it fixed? I can post their recommended solutions if needed.
*. we're currently using version 5.0.0 which is available on Maven but I can't find any reference for it in the repository releases, should we change it to the latest one shown here? (4.2.3)