Kentico 10 Failing PCI Scan XXS

L Younkins asked on August 13, 2020 16:12

Hello. We are still on Kentico 10 and failed a PCI scan. Results said XXS vulnerabilities. Not completely understanding Kentico Documentation on how to resolve this. Tested with in Search box and it executed with a 1 in a message box popup.
Already updated Web Config file with recommendations. Documentation lists the following as ways to avoid, but I am not sure where to do this. In the CMS itself? On the server?

Recent Answers

Brian McKeiver answered on August 13, 2020 23:25

Hi Laurie,

One thing that would help us to help you is us know if you are Portal or MVC? Assuming you are in Portal engine, there are some automatic scripts that get added to the page in question based on what web parts you are using. Could you let us know a bit more about the specific error? Or where in the site you are seeing this?

0 votesVote for this answer Mark as a Correct answer

L Younkins answered on August 14, 2020 17:58 (last edited on August 14, 2020 23:39)

We are using a portal based Kentico 10 CMS. It is hosted offsite by a hosting company running on .net.

We failed the Trustwave PCI scan, in 2 areas.
* JQuery DOM methods Cross-SiteScripting Vulnerability, CVE-2020-1102
* JQuery DOM option elementCross-Site ScriptingVulnerability, CVE-2020-11
The recommended solution is for us to upgrade JQuery to Version 3.5.1, however, we were advised that upgrading could cause things to not work correctly.

Code
0 votesVote for this answer Mark as a Correct answer

Brian McKeiver answered on August 16, 2020 01:06

Laurie, you are correct upgrading could cause an issue, but that is likely the only way to pass the scan. It is possible to upgrade just the "live" site without having issues, you just need to swap out the newer library to 3.5.1 and test it with your custom JavaScript on the site.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.