Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
jQuery used by the application is vulnerable to C VE-2012-6708 and C VE-2015-9251
#1
Getting another vulnerability - Using Known Vulnerable Components

The version of jQuery used by the application is vulnerable to C VE-2015-9251

<script type="text/javascript" src="/$/js/IWLib__1837908247.js"></script>

I checked this JQuery and the version what using in the IW is 1.12.4 only. I think what they are expecting is 3.4 or above

Here I am attaching the screen shot. I am using the IW version 15.2.27.
Reply
#2
You can disable in ServerController -> JavaScriptOptions -> RenderJQuery := False;
Reply
#3
We are planning to update jQuery to a newer version, however many other components depend on it. We need to do an extensive testing.

Meanwhile you can disable jQuery rendering and add your own version to all your IW pages (you can easily accomplish that using serverController.ContentFiles)
Reply
#4
BTW, vulnerabilities of jQuery are extremely overrated by auditors... The reality is: if someone can break into your HTTPS connection, nothing will protect you from whatever they have. They don't need to play with jQuery to steal your data and redirect you to a fake web site... But... auditors are here to make money, right?
Reply
#5
(08-04-2021, 08:04 AM)Alexandre Machado Wrote: BTW, vulnerabilities of jQuery are extremely overrated by auditors... The reality is: if someone can break into your HTTPS connection, nothing will protect you from whatever they have. They don't need to play with jQuery to steal your data and redirect you to a fake web site... But... auditors are here to make money, right?

Alexandre,

I have to agree with you.

We are in the middle of annual PCI recertification and strong and valid arguments to the auditors is required when they present high status security fails that are not based upon reality or real operation of the technology.

It can very frustrating...

My 2 cents spent...
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)