Hi, I have a client who failed their PCI compliance scan by Trustwave. Anyone else having this problem and a solution? It says to upgrade to version 3.0.0 or higher, but it looks like that would probably break CS cart.
The following is the error message:
jQuery Cross-Domain
Asynchronous JavaScript and
Extensible Markup Language
Request Cross-site Scripting
Vulnerability, CVE-2015-9251
jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed. This finding is based on version information which may not have been updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this vulnerability has already been patched.
All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
CVE: CVE-2015-9251
NVD: CVE-2015-9251
CVSSv2: AV:N/AC:M/Au:N/C:N/I:P/A:N
Service: http
Application: nginx:nginx
Reference:
https://github.com/jquery/jquery/issues/2432
https://snyk.io/vuln/npm:jquery:20150627
Evidence:
Match: '1.9.1' is less than '3.0.0'
Remediation:
Upgrade jquery to version 3.0.0 or higher.