Solved

Jquery out of date on the login page causing medium vulnerability found on PCI Scan

  • 9 July 2021
  • 3 replies
  • 144 views

We scan our public IP quarterly to verify security settings and we found this on a sandbox version of Acumatica used for dev/testing internally. Anyone else getting this. Is this something we can fix or does Acumatica need to update some dependencies. Acumatica Version 2020R2 build: 20.214.0030

jQuery 3.4 fixed cross-site scripting vulnerability

04/23/19

CVE 2019-11358

jQuery before 3.4.0, as used in Drupal and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution.

If an unsanitized source object contained an enumerable __proto__ property , it could extend the native Object.prototype .

Cross-site scripting vulnerability in jQuery.htmlPrefilter

07/18/20

 

Impact:

An attacker could launch a cross-site scripting attack, potentially leading to theft of session IDs or other consequences and

could create a denial of service condition.

 

Resolution:
[http://jquery.com/download/] Upgrade to jQuery 3.5.0 or higher.

icon

Best answer by ChandraM 12 July 2021, 21:14

View original

3 replies

Userlevel 7
Badge +9

@scasagrande Thanks for the details information on the issue and the resolution to upgrade to  jQuery 3.5.0 or higher. 

@ChandrasekharM I was not posting that as a answer. The Jquery plugin is used in the Acumatica Code. So unless they state were you can upgrade it then nothing changes. You can’t just install a new Jquery version. Acumatica needs to update it in their dependencies for their application. While I could probably download a newer version of minified Jquery script and place it in the scripts folder I would then need to know every file that is calling that script in either HTML or aspx.cs file and that is not something someone just administrating the application should have to do.

Userlevel 7
Badge +9

Hi @scasagrande Yes, I agree that we need the jQuery 3.5.0 or higher in order to secure the session ID. Resolution for supporting the higher versions of jQuery may an idea that can be posted.

 

Reply


About Acumatica ERP system
Acumatica Cloud ERP provides the best business management solution for transforming your company to thrive in the new digital economy. Built on a future-proof platform with open architecture for rapid integrations, scalability, and ease of use, Acumatica delivers unparalleled value to small and midmarket organizations. Connected Business. Delivered.
© 2008 — 2024  Acumatica, Inc. All rights reserved