Skip to main content

 

FALSE POSITIVE - jQuery 1.8.3 flagged as a vulnerable library

 

OutSystems

FALSE POSITIVE - jQuery 1.8.3 flagged as a vulnerable library

Some Penetration Testing tools may flag OutSystems as having a vulnerable jQuery library.

OutSystems uses jQuery version 1.8.3 which has the following known vulnerabilities:

Problem - Selector interpreted as HTML

Vulnerability #11290 relates to a potential Cross-Site Scripting vulnerability in jQuery's selector operator ( $ ).

Reason for false positive

While the jQuery version we ship with OutSystems is based on version 1.8.3, it contains some changes made by OutSystems. In particular, as of OutSystems version 9.1.401.0, the fix was backported and the $ operator should no longer be vulnerable to this attack.

Problem - Prototype pollution

jQuery version 1.8.3 is vulnerable to Prototype Pollution. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. Find more information on the vulnerability here.

Reason for false positive

While the jQuery version we ship with OutSystems is based on 1.8.3, it does not contain any of the patterns described in the vulnerability description, for which this is considered a false positive.