-
-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site Scripting (XSS) Vulnerability in Exist-db Ver. 4.0 due to Jquery version 1.7.1 #190
Comments
for security related issues please send an email to security@exist-db.org . There are ways to avoiding the jQuery vulnerability depending on your use case. For general security advise for production environments see Production Use - Good Practice from the documentation. |
Hi All,
Please let me know the steps, how do I fix the jQuery vulnerability at my exist-db instance?
Thanks & Regards,
Himanshu Bhargav
…________________________________
From: Duncan Paterson <notifications@github.com>
Sent: 05 May 2018 22:00:11
To: eXist-db/eXide
Cc: Bhargav, Himanshu; Author
Subject: Re: [eXist-db/eXide] Cross-site Scripting (XSS) Vulnerability in Exist-db Ver. 4.0 due to Jquery version 1.7.1 (#190)
for security related issues please send an email to security@exist-db.org<mailto:security@exist-db.org> . There are ways to avoiding the jQuery vulnerability depending on your use case. For general security advise for production environments see Production Use - Good Practice<http://www.exist-db.org/exist/apps/doc/production_good_practice.xml> from the documentation.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#190 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/Aitn70lNsEgwTRRHbOy1fsHNqgFsIlftks5tvdOTgaJpZM4TwkYw>.
"This e-mail and any attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential , proprietary or privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this e-mail or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful."
|
I have a few apps where I use an updated version of bootstrap and jquery , all installed in my XAR files in a collection called 'resources' aside some css and other js files.... |
We have installed the Exist-db version 4.0 on our AWS Server on port 8090, Which is open to internet. In the recent scan of the Server, we have encountered the vulnerabilities on this port due to lower version of jquery(1.7.1) is used in the exist-db.
As per remedy reports, it has been advice to Upgrade jquery to version 3.0.0 or higher. I have checkeds the latest version of Exist-db but it is also using the older version of jquery. We can not manually replace the jquery version because it has been referenced by many objects of exist-db server.
Kindly advice and let me know how do i solve this issue. Please find below the related reference links and details for your reference.
https://snyk.io/vuln/npm:jquery:20150627
https://bugs.jquery.com/ticket/11290
https://nvd.nist.gov/vuln/detail/CVE-2012-6708
jQuery is vulnerable to Cross-site Scripting (XSS) attacks because the Query() function does not differentiate selectors from HTML in a reliable way. In vulnerable versions, jQuery determines if the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility to build a malicious payload.
Is Exist-db planning to release new setup with latest version of Jquery??
The text was updated successfully, but these errors were encountered: