Penetration testing

jQuery 1.8.3 flagged as a potentially vulnerable library

OutSystems uses jQuery version 1.8.3 which has the following known vulnerabilities:

• Issue - Selector interpreted as HTML. CVE-2012-6708 relates to a potential Cross-Site Scripting vulnerability in jQuery's selector operator ( $ ). While the jQuery version we ship with OutSystems is based on version 1.8.3, it contains some changes made by OutSystems. In particular, as of OutSystems version 9.1.401.0, the fix was backported and the $ operator is no longer vulnerable to this attack.

• Issue - Prototype pollution. The jQuery version 1.8.3 is vulnerable to Prototype Pollution, CVE-2019-11358. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. You can find more information on the vulnerability here. While the jQuery version we ship with OutSystems is based on 1.8.3, it doesn't contain any of the patterns described in the vulnerability description, for which this is considered a false positive.

• Issue - Passing HTML from untrusted sources to one of jQuery's DOM manipulation methods. The jQuery versions 1.0.3 to 3.5.0 are vulnerable to the possible execution of untrusted code (CVE-2020-11022 and CVE-2020-11023). While the jQuery version we ship with OutSystems is based on 1.8.3, the Platform Server doesn't generate code that passes HTML from untrusted sources to the JQuery DOM manipulation methods, for which this is considered a false positive.

jQuery-ui-dialog flagged as a potentially vulnerable library

Some penetration testing tools may flag OutSystems as having a vulnerable jQuery-ui-dialog library.

OutSystems uses jQuery-ui-dialog version 1.8.24 which has a vulnerability known to this version - CVE-2010-5312. This vulnerability relates to the title() function, potentially allowing for unescaped content to be inserted in the title and causing a Cross Site Scripting problem.

All uses of the affected function by OutSystems properly encode the input parameter. As such, OutSystems isn't vulnerable despite this vulnerability still being present in jquery-ui-dialog.

As for applications developed by your users which make use of this library, you should ensure that you encode the input to the title() function correctly. Alternatively, you can import your own version of jquery-ui-dialog into a different namespace and use that version instead.