Skip to main content
OutSystems

FALSE POSITIVE - jquery-ui-dialog flagged as a potentially vulnerable library

Problem

Some Penetration Testing tools may flag OutSystems as having a vulnerable jquery-ui-dialog library.

OutSystems uses jquery-ui-dialog version 1.8.24 which and the vulnerability known to this version is CVE-2010-5312 which relates to the title() function potentially allowing for unescaped content to be inserted in the title and causing a Cross Site Scripting problem.

Resolution

All uses of the affected function by OutSystems are done after properly encoding the input parameter. As such it is our understanding that OutSystems is not vulnerable despite this vulnerability still being present in jquery-ui-dialog.

As for applications developed by our users which make use of this library, you should take care to properly encode the input to the title() function. Alternatively you can import your own version of jquery-ui-dialog into a different namespace and use that version instead.

 

  • Was this article helpful?