Skip to main content
Solved

Jquery out of date on the login page causing medium vulnerability found on PCI Scan


We scan our public IP quarterly to verify security settings and we found this on a sandbox version of Acumatica used for dev/testing internally. Anyone else getting this. Is this something we can fix or does Acumatica need to update some dependencies. Acumatica Version 2020R2 build: 20.214.0030

jQuery 3.4 fixed cross-site scripting vulnerability

04/23/19

CVE 2019-11358

jQuery before 3.4.0, as used in Drupal and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution.

If an unsanitized source object contained an enumerable __proto__ property , it could extend the native Object.prototype .

Cross-site scripting vulnerability in jQuery.htmlPrefilter

07/18/20

 

Impact:

An attacker could launch a cross-site scripting attack, potentially leading to theft of session IDs or other consequences and

could create a denial of service condition.

 

Resolution:
[http://jquery.com/download/] Upgrade to jQuery 3.5.0 or higher.

Best answer by ChandraM

Hi @scasagrande Yes, I agree that we need the jQuery 3.5.0 or higher in order to secure the session ID. Resolution for supporting the higher versions of jQuery may an idea that can be posted.

 

View original
Did this topic help you find an answer to your question?

3 replies

Forum|alt.badge.img+9
  • Semi-Pro I
  • 714 replies
  • July 10, 2021

@scasagrande Thanks for the details information on the issue and the resolution to upgrade to  jQuery 3.5.0 or higher. 


  • Author
  • Freshman I
  • 4 replies
  • July 12, 2021

@ChandrasekharM I was not posting that as a answer. The Jquery plugin is used in the Acumatica Code. So unless they state were you can upgrade it then nothing changes. You can’t just install a new Jquery version. Acumatica needs to update it in their dependencies for their application. While I could probably download a newer version of minified Jquery script and place it in the scripts folder I would then need to know every file that is calling that script in either HTML or aspx.cs file and that is not something someone just administrating the application should have to do.


Forum|alt.badge.img+9
  • Semi-Pro I
  • 714 replies
  • Answer
  • July 12, 2021

Hi @scasagrande Yes, I agree that we need the jQuery 3.5.0 or higher in order to secure the session ID. Resolution for supporting the higher versions of jQuery may an idea that can be posted.

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings