Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 1120 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RESTful API Vulnerability

bluPA Orgaccount

Our PCI compliance tests are failing after enabling the RESTful API.

 

jQuery < 1.9.0 XSS Vulnerability

Affected version: jquery-1.8.0.min.js

 

jQuery bug: 11290
https://bugs.jquery.com/ticket/11290
https://www.cvedetails.com/cve/CVE-2012-6708/

 

Path on firewall: https://your-utm-fqdn:4444/api/lib/

 

Model: SG310

Version: 9.602-3

 

Has this issue been addressed already or is it known at Sophos?

I compared the version on the firewall with the original and they seem identical. So it doesn't look like a patched version.

 

I found a similar post for the XG version https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/109122/failing-pci-scans-because-of-outdated-jquery-in-user-portal---is-there-a-fix but the solution does not apply in this case.

 

Can I do more than post it to this forum?



This thread was automatically locked due to age.
  • 0

    Hopefully your compliance tests are running from an internal system.   The WebAdmin port should not be exposed to the Internet, as that would worry me more than component versions.

    Since the issue is from 2012, the patch has almost certainly been backported to the version used by Sophos, but only Sophos knows for sure.  You will have to open a ticket with Support to get an answer which is official enough to use as a response to the PCI scan.

    Doug

Unfiltered HTML