Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Jquery Dom Methods Cross-Site Scripting Vulnerability Rate Topic   - - - - -

 

Posted 03 August 2020 - 02:57 PM #1

Hi bros and sis, just doing a PCI Scan and have got as below

 

This version of JQuery is susceptible to cross-site scripting when passing HTML from untrusted sources even after sanitizing it to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others).

 

Upgrade jQuery to version 3.5.0 or higher.

 

PCI Status Fail

 

Any idea how to sort it out please?

 

Regards Marian



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11764 posts

Posted 03 August 2020 - 06:24 PM #2

Best course of action is to move away from payment methods that store (or process) credit card info locally on your server.  If you move to something like Square (or many other modern payment processors) you can drop PCI certifications and save yourself a whole lot of time and money.  We have a Square payment addon called Squarepay.  You can review it here: https://ez-ms.com/squarepay.html


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 

Posted 03 August 2020 - 08:35 PM #3

Hi bros and sis, just doing a PCI Scan and have got as below

 

This version of JQuery is susceptible to cross-site scripting when passing HTML from untrusted sources even after sanitizing it to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others).

 

Upgrade jQuery to version 3.5.0 or higher.

 

PCI Status Fail

 

Any idea how to sort it out please?

 

Regards Marian

This will be fixed in a future CS-Cart version. They are already aware and have implemented a patch.



 

Posted 04 August 2020 - 02:33 PM #4

Thanks EZ but if you want take a payment over the phone you must be PCI compliance

So now the CS Cart is not PCI compliance at all :-( It is sad very sad.

 

Regards



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11764 posts

Posted 04 August 2020 - 04:04 PM #5

Not if you are entering the cc data into an Iframe (on the payment provider's site) versus an input field.  No cc data is ever on your site (unless of course you write it down which would be bad practice in any environment).


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 

Posted 05 August 2020 - 06:31 PM #6

What about the guys from cscart? They are hiding? :-) or sleeping :-) or they want me to ask about $$$ support :-) ridiculous :-) no body cares :-)



 
  • teosu
  • Senior Member
  • Members
  • Join Date: 09-Oct 14
  • 771 posts

Posted 05 August 2020 - 07:33 PM #7

Forget the cs-team they never care about customer reviews



 

Posted 05 August 2020 - 08:09 PM #8

So :-) someone has fixed for us :-) it was my it genuis :-) I am going to run another PCI test and will inform you :-)

 

Regards Marian