The 5th annual nopCommerce conference will take place in India on the 10th-11th of October. Please find more about this event here

v.4 PCI FAIL: Cross-site Scripting (XSS) vulnerability

1 2 >
Posted: July 26, 2018 at 12:23 PM Quote #209414
We upgraded from 3.7 to 4.0 a few weeks ago, and now we are failing PCI "Cross-site Scripting (XSS) vulnerability"

Is this a known issue?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 26, 2018 at 2:22 PM Quote #209423
What exactly page is vulnerable? Please provide a list of steps to reproduce the issue?
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: July 26, 2018 at 4:17 PM Quote #209429
a.m. wrote:
What exactly page is vulnerable? Please provide a list of steps to reproduce the issue?

If you would like, I could email the full .pdf report with the fails. They were on product pages. Just pm me.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 27, 2018 at 12:17 AM Quote #209435
Done. Thanks
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: July 28, 2018 at 12:25 AM Quote #209487
Hi Guys,

I ran my PCI compliance test yesterday and also have this problem, the error on the report is shown below:

JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS 443 / tcp / possible_wls

The error is explained here

The solution is to upgrade to JQuery version 1.12.0 or later.

I am running NopCommerce v3.8 and my scripts already contain a migrated version of JQuery 1.12

jquery-migrate-1.2.1.min.js

Anyone know how to migrate to this version with the platform, do I need to place the declaration after the previous version like below?

    Html.AppendScriptParts("~/Scripts/jquery-1.10.2.min.js");
    Html.AppendScriptParts("~/Scripts/jquery-migrate-1.2.1.min.js");


Paul.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 28, 2018 at 1:26 AM Quote #209489
here is a good write up on the issue if anyone is interested.

https://www.acunetix.com/websitesecurity/cross-site-scripting/
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 28, 2018 at 5:05 AM Quote #209493
nopCommerce 4.10 uses the latest version of jQuery
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: July 28, 2018 at 5:11 AM Quote #209494
Do you have a solution for users of NopCommerce v3.8 as a quick fix and not currently able to upgrade?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 28, 2018 at 12:16 PM Quote #209503
phayes wrote:
Hi Guys,

I ran my PCI compliance test yesterday and also have this problem, the error on the report is shown below:

JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS 443 / tcp / possible_wls

The error is explained here

The solution is to upgrade to JQuery version 1.12.0 or later.

I am running NopCommerce v3.8 and my scripts already contain a migrated version of JQuery 1.12

jquery-migrate-1.2.1.min.js

Anyone know how to migrate to this version with the platform, do I need to place the declaration after the previous version like below?

    Html.AppendScriptParts("~/Scripts/jquery-1.10.2.min.js");
    Html.AppendScriptParts("~/Scripts/jquery-migrate-1.2.1.min.js");


Paul.


This isn't the same issue.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 28, 2018 at 12:21 PM Quote #209504
I think you may find it is, follow the link below.

https://www.tenable.com/plugins/nessus/106657

The remote web server is affected by a cross-site scripting vulnerability.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
1 2 >
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2019
Learn more