Author Topic: jQuery before 3.0.0 is vulnerable to XSS  (Read 1321 times)

Online llegrand

  • Hero Member
  • *****
  • Posts: 1359
  • Karma: +344/-2
    • View Profile
jQuery before 3.0.0 is vulnerable to XSS
« on: March 28, 2018, 11:12:42 PM »
While working to obtain PCI compliance on a site  all tests have been successfully passed except for one. 

CVE-2015-9251 fails with this notification:

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when across-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

It looks like 1.2.12  version is using jQuery 1.12.4.  jQuery site states that verions 1.x and 2.x are no longer receiving patches.  Do you anticipate upgrading to 3.x  with the next AbanteCart version 1.2.13?

Info regarding the issue can be found here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251

Any feedback on this would be appreciated.

Lee


Online llegrand

  • Hero Member
  • *****
  • Posts: 1359
  • Karma: +344/-2
    • View Profile
Re: jQuery before 3.0.0 is vulnerable to XSS
« Reply #1 on: March 31, 2018, 10:47:45 AM »
Any suggestions,   remarks,  insights,  or possible changes?

Lee

Offline Basara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3723
  • Karma: +184/-0
    • View Profile
Re: jQuery before 3.0.0 is vulnerable to XSS
« Reply #2 on: April 02, 2018, 04:00:07 AM »
Hi, llegrand.
I don't think that JQuery will be updated in 1.2.13
“Chuck Norris is so amazing.”
― Mother Teresa