v.4 PCI FAIL: Cross-site Scripting (XSS) vulnerability

2 年 前
phayes wrote:
I think you may find it is, follow the link below.

https://www.tenable.com/plugins/nessus/106657

The remote web server is affected by a cross-site scripting vulnerability.


We have a 3.6 site on the same server that passes, and the new 4.0 site fails? If it was the issue you referenced they would both be failing.
2 年 前
phayes wrote:
Do you have a solution for users of NopCommerce v3.8 as a quick fix and not currently able to upgrade?


I have searched several threads for this answer, how can we fix v3.8 sites that can't upgrade?  (no-source version)
2 年 前
jayro wrote:
Do you have a solution for users of NopCommerce v3.8 as a quick fix and not currently able to upgrade?

I have searched several threads for this answer, how can we fix v3.8 sites that can't upgrade?  (no-source version)


Yes, both versions that we are running are now failing.... despite applying a fix that they closed the issue on.
2 年 前
PCI company says:

Solution
Windows 2012 R2 Standard
Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
1 年 前
Still waiting for a response on github since April. I just added a new screenshot today. The fix that was listed did nothing to resolve the issue that the ticket was opened for.