v.4 PCI FAIL: Cross-site Scripting (XSS) vulnerability

1 year ago
We upgraded from 3.7 to 4.0 a few weeks ago, and now we are failing PCI "Cross-site Scripting (XSS) vulnerability"

Is this a known issue?
1 year ago
What exactly page is vulnerable? Please provide a list of steps to reproduce the issue?
1 year ago
a.m. wrote:
What exactly page is vulnerable? Please provide a list of steps to reproduce the issue?

If you would like, I could email the full .pdf report with the fails. They were on product pages. Just pm me.
1 year ago
Done. Thanks
1 year ago
Hi Guys,

I ran my PCI compliance test yesterday and also have this problem, the error on the report is shown below:

JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS 443 / tcp / possible_wls

The error is explained here

The solution is to upgrade to JQuery version 1.12.0 or later.

I am running NopCommerce v3.8 and my scripts already contain a migrated version of JQuery 1.12

jquery-migrate-1.2.1.min.js

Anyone know how to migrate to this version with the platform, do I need to place the declaration after the previous version like below?

    Html.AppendScriptParts("~/Scripts/jquery-1.10.2.min.js");
    Html.AppendScriptParts("~/Scripts/jquery-migrate-1.2.1.min.js");


Paul.
1 year ago
here is a good write up on the issue if anyone is interested.

https://www.acunetix.com/websitesecurity/cross-site-scripting/
1 year ago
nopCommerce 4.10 uses the latest version of jQuery
1 year ago
Do you have a solution for users of NopCommerce v3.8 as a quick fix and not currently able to upgrade?
1 year ago
phayes wrote:
Hi Guys,

I ran my PCI compliance test yesterday and also have this problem, the error on the report is shown below:

JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS 443 / tcp / possible_wls

The error is explained here

The solution is to upgrade to JQuery version 1.12.0 or later.

I am running NopCommerce v3.8 and my scripts already contain a migrated version of JQuery 1.12

jquery-migrate-1.2.1.min.js

Anyone know how to migrate to this version with the platform, do I need to place the declaration after the previous version like below?

    Html.AppendScriptParts("~/Scripts/jquery-1.10.2.min.js");
    Html.AppendScriptParts("~/Scripts/jquery-migrate-1.2.1.min.js");


Paul.


This isn't the same issue.
1 year ago
I think you may find it is, follow the link below.

https://www.tenable.com/plugins/nessus/106657

The remote web server is affected by a cross-site scripting vulnerability.