Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Jquery Xss Vulnerabilities Rate Topic   - - - - -

 
  • dm2118
  • Junior Member
  • Members
  • Join Date: 26-Aug 09
  • 3 posts

Posted 12 June 2018 - 10:24 PM #1

Hi, I have a client who failed their PCI compliance scan by Trustwave. Anyone else having this problem and a solution? It says to upgrade to version 3.0.0 or higher, but it looks like that would probably break CS cart.

 

The following is the error message:

 

jQuery Cross-Domain
Asynchronous JavaScript and
Extensible Markup Language
Request Cross-site Scripting
Vulnerability, CVE-2015-9251

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed. This finding is based on version information which may not have been updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this vulnerability has already been patched.
All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
CVE: CVE-2015-9251
NVD: CVE-2015-9251
CVSSv2: AV:N/AC:M/Au:N/C:N/I:P/A:N
Service: http
Application: nginx:nginx
Reference:
https://github.com/j...ery/issues/2432
https://snyk.io/vuln...jquery:20150627
Evidence:
Match: '1.9.1' is less than '3.0.0'
Remediation:
Upgrade jquery to version 3.0.0 or higher.



 
  • martfox
  • Member
  • Authorized Reseller
  • Join Date: 15-Jan 10
  • 556 posts

Posted 12 June 2018 - 10:25 PM #2

Which CS-Cart version is he using?


CS-Cart with 1 Year FREE Web Hosting | CS-Cart optimized SSD Cloud VPS Servers from €10.00/month
.
VPS SSD Cloud from €10.00 *** Dedicated Servers *** CS-Cart Authorized Reseller and Web Hosting Provider


 
  • dm2118
  • Junior Member
  • Members
  • Join Date: 26-Aug 09
  • 3 posts

Posted 25 June 2018 - 05:02 PM #3

They are using version 4.2.3. I see there is an update available to 4.2.4,  but my understanding is that even the latest version still uses jquery 1.9.1.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11001 posts

Posted 25 June 2018 - 07:14 PM #4

You are correct on the jQuery version...  Since cs-cart has stated they will be PCI compliant, I'd suggest you enter this as a bug in bugtracker since no cs-cart can be PCI compliant with that version of jQuery.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • mazter
  • Senior Member
  • Members
  • Join Date: 04-Apr 12
  • 273 posts

Posted 10 August 2018 - 11:51 AM #5

We hit to the same roadblock. Jquery has to be upgraded to the latest version for many reasons including PCI compliance.

 

Any updates on this? Did anybody hear back from CS-Cart on this?



 
  • danwalton
  • Newbie
  • Members
  • Join Date: 22-Mar 14
  • 6 posts

Posted 21 November 2018 - 10:34 AM #6

Relatively simple fix for this if you are comfortable modifying a core file;

 

The snippet https://github.com/j...mment-403761229here can be added to the template file design/themes/responsive/templates/common/scripts.tpl just after the inclusion of jquery.

 

This allowed me to file a dispute with my ASV against the scan result, showing that I had patched the vulnerability.