Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Jquery Xss Vulnerabilities Rate Topic   - - - - -

  • dm2118
  • Junior Member
  • Members
  • Join Date: 26-Aug 09
  • 3 posts

Posted 12 June 2018 - 10:24 PM #1

Hi, I have a client who failed their PCI compliance scan by Trustwave. Anyone else having this problem and a solution? It says to upgrade to version 3.0.0 or higher, but it looks like that would probably break CS cart.


The following is the error message:


jQuery Cross-Domain
Asynchronous JavaScript and
Extensible Markup Language
Request Cross-site Scripting
Vulnerability, CVE-2015-9251

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed. This finding is based on version information which may not have been updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this vulnerability has already been patched.
All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
CVE: CVE-2015-9251
NVD: CVE-2015-9251
Service: http
Application: nginx:nginx
Match: '1.9.1' is less than '3.0.0'
Upgrade jquery to version 3.0.0 or higher.

  • martfox
  • Member
  • Authorized Reseller
  • Join Date: 15-Jan 10
  • 570 posts

Posted 12 June 2018 - 10:25 PM #2

Which CS-Cart version is he using?

Buy CS-Cart License | CS-Cart Hosting
CS-Cart VPS SSD Cloud Hosting from $4,90/month *** Dedicated Servers *** CS-Cart Authorized Reseller and Web Hosting Provider

  • dm2118
  • Junior Member
  • Members
  • Join Date: 26-Aug 09
  • 3 posts

Posted 25 June 2018 - 05:02 PM #3

They are using version 4.2.3. I see there is an update available to 4.2.4,  but my understanding is that even the latest version still uses jquery 1.9.1.

  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11945 posts

Posted 25 June 2018 - 07:14 PM #4

You are correct on the jQuery version...  Since cs-cart has stated they will be PCI compliant, I'd suggest you enter this as a bug in bugtracker since no cs-cart can be PCI compliant with that version of jQuery.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.

  • mazter
  • Senior Member
  • Members
  • Join Date: 04-Apr 12
  • 275 posts

Posted 10 August 2018 - 11:51 AM #5

We hit to the same roadblock. Jquery has to be upgraded to the latest version for many reasons including PCI compliance.


Any updates on this? Did anybody hear back from CS-Cart on this?

  • danwalton
  • Newbie
  • Members
  • Join Date: 22-Mar 14
  • 6 posts

Posted 21 November 2018 - 10:34 AM #6

Relatively simple fix for this if you are comfortable modifying a core file;


The snippet https://github.com/j...mment-403761229here can be added to the template file design/themes/responsive/templates/common/scripts.tpl just after the inclusion of jquery.


This allowed me to file a dispute with my ASV against the scan result, showing that I had patched the vulnerability.