+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251 (/thread-2467.html)
jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251 - pgnair - 07-28-2021
Getting another vulnerability - Using Known Vulnerable Components
The version of jQuery used by the application is vulnerable to C VE-2015-9251
<script type="text/javascript" src="/$/js/IWLib__1837908247.js"></script>
I checked this JQuery and the version what using in the IW is 1.12.4 only. I think what they are expecting is 3.4 or above
Here I am attaching the screen shot. I am using the IW version 15.2.27.
RE: jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251 - Jose Nilton Pace - 07-28-2021
You can disable in ServerController -> JavaScriptOptions -> RenderJQuery := False;
RE: jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251 - Alexandre Machado - 08-04-2021
We are planning to update jQuery to a newer version, however many other components depend on it. We need to do an extensive testing.
Meanwhile you can disable jQuery rendering and add your own version to all your IW pages (you can easily accomplish that using serverController.ContentFiles)
RE: jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251 - Alexandre Machado - 08-04-2021
BTW, vulnerabilities of jQuery are extremely overrated by auditors... The reality is: if someone can break into your HTTPS connection, nothing will protect you from whatever they have. They don't need to play with jQuery to steal your data and redirect you to a fake web site... But... auditors are here to make money, right?
RE: jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251 - zsleo - 08-04-2021
(08-04-2021, 08:04 AM)Alexandre Machado Wrote: BTW, vulnerabilities of jQuery are extremely overrated by auditors... The reality is: if someone can break into your HTTPS connection, nothing will protect you from whatever they have. They don't need to play with jQuery to steal your data and redirect you to a fake web site... But... auditors are here to make money, right?
Alexandre,
I have to agree with you.
We are in the middle of annual PCI recertification and strong and valid arguments to the auditors is required when they present high status security fails that are not based upon reality or real operation of the technology.
It can very frustrating...
My 2 cents spent...