ASV Vulnerability Test FAILED

[PortraitArtist]

www.Vodmochka.com; Apache 2.4.25; PHP 5.6.30;
I am running ZC version 1.5.0 since it came out originally.
I use First Data and PayPal.
Once a month Trustwave runs the vulnerability test.
Until now all the problems that come out I could fix by myself or with the help of my Webhost, Stormwire.com.
Right now they told me they cannot fix the problem, because I am on a shared server,
Please let me know what my options are to fix this problem?

Here is the failed vulnerability Report:

"Port: tcp/80
jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-
domain Asynchronous JavaScript and Extensible Markup Language
(AJAX) Request is performed without the dataType option, causing
text/javascript responses to be executed.
This finding indicates that either the root domain url, sub-domain url, or
an imported/sourced version of jQuery is below jQuery version 3.0. All
three scenarios allow an attacker to execute cross site scripting attacks
on the root domain.
For details about which pages jQuery has been detected on, as well as
detected jQuery script source paths, please refer to the evidence
presented in the jQuery Script Detection finding (vulncode 30005875).
This finding is based on version information which may not have been
updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this
vulnerability has already been patched.
All Cross-Site Scripting vulnerabilities are considered non-compliant by
PCI.
CVE: CVE-2015-9251
NVD: CVE-2015-9251
CVSSv2: AV:N/AC:M/Au:N/C:N/I/A:N
Service: http
Application: apache:http_server
Reference:
https://github.com/jquery/jquery/issues/2432
https://snyk.io/vuln/npm:jquery:20150627
Evidence:
Match: '1.12.0' is less than '3.0.0'
Remediation:
Upgrade jQuery to version 3.0.0 or higher. This includes versions of
jQuery used on the root domain, subdomain, or imported/sourced
libraries.
For details about which pages jQuery has been detected on, as well as
detected jQuery script source paths, please refer to the evidence
presented in the jQuery Script Detection finding (vulncode 30005875)."

I appreciate any help I can get.

[mc12345678]

Looks like, besides the recommendation to basically upgrading to the latest ZC version (which seems to have in pieces and parts been done) http://www.zen-cart.com/entry.php?3-...d-of-upgrading that a more recent version of jQuery is recommended with any version greater than 3.0.0.

[PortraitArtist]

I do not host my website and I cannot do anything about the server.
My host told me they cannot update jQuery to the 3.0.0 or higher version, because that would break other websites on the same server.
Is that true, or just an excuse to put my site(s) on a dedicated server that cost five times more.

Is there information somewhere on this forum about reliable affordable hosting services?

www.Vodmochka.com; Apache 2.4.25; PHP 5.6.30;
I am running ZC version 1.5.0 since it came out originally.
I use First Data and PayPal.
Once a month Trustwave runs the vulnerability test.
Until now all the problems that come out I could fix by myself or with the help of my Webhost, Stormwire.com.
Right now they told me they cannot fix the problem, because I am on a shared server,
Please let me know what my options are to fix this problem?

Here is the failed vulnerability Report:

"Port: tcp/80
jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-
domain Asynchronous JavaScript and Extensible Markup Language
(AJAX) Request is performed without the dataType option, causing
text/javascript responses to be executed.
This finding indicates that either the root domain url, sub-domain url, or
an imported/sourced version of jQuery is below jQuery version 3.0. All
three scenarios allow an attacker to execute cross site scripting attacks
on the root domain.
For details about which pages jQuery has been detected on, as well as
detected jQuery script source paths, please refer to the evidence
presented in the jQuery Script Detection finding (vulncode 30005875).
This finding is based on version information which may not have been
updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this
vulnerability has already been patched.
All Cross-Site Scripting vulnerabilities are considered non-compliant by
PCI.
CVE: CVE-2015-9251
NVD: CVE-2015-9251
CVSSv2: AV:N/AC:M/Au:N/C:N/I/A:N
Service: http
Application: apache:http_server
Reference:
https://github.com/jquery/jquery/issues/2432
https://snyk.io/vuln/npm:jquery:20150627
Evidence:
Match: '1.12.0' is less than '3.0.0'
Remediation:
Upgrade jQuery to version 3.0.0 or higher. This includes versions of
jQuery used on the root domain, subdomain, or imported/sourced
libraries.
For details about which pages jQuery has been detected on, as well as
detected jQuery script source paths, please refer to the evidence
presented in the jQuery Script Detection finding (vulncode 30005875)."

I appreciate any help I can get.

[carlwhat]

you do not have an understanding of jQuery; nor does it sound like your host does.

jQuery is run on the client side; your code tells the browser which version to use. for example, on your login page, if you view the source, you will see you are using 1.12:

Code:

<meta name="authors" content="Istvan Parragh & Ildiko Pataki" /> 
<meta name="distribution" content="global" /> 
<meta name="rating" content="general" /> 
<meta name="Owner" content="Vodmochka, Inc." /> 
<meta name="Copyright" content="1997-2012 Copyright Vodmochka, Inc. " /> 
<meta name="rights" content="All material contained herein is owned by Vodmochka Graffix, or its respective owners. Any attempts to reproduce this information without the express written consent from the owner will be prosecuted." /> <meta name="revisit-after" content="15 days" /> 
<meta name="generator" content="shopping cart program by Zen Cart&reg;, http://www.zen-cart.com eCommerce" />   
<base href="https://www.embroideryportraits.com/Gifts/" />  
<link rel="stylesheet" type="text/css" href="includes/templates/emb_gifts/css/stylesheet.css" /> 
<link rel="stylesheet" type="text/css" href="includes/templates/emb_gifts/css/stylesheet_css_buttons.css" /> 
<link rel="stylesheet" type="text/css" media="print" href="includes/templates/emb_gifts/css/print_stylesheet.css" />  
<script type="text/javascript">window.jQuery || document.write(unescape('%3Cscript type="text/javascript" src="//code.jquery.com/jquery-1.12.0.min.js"%3E%3C/script%3E'));</script> 
<script type="text/javascript">window.jQuery || document.write(unescape('%3Cscript type="text/javascript" src="includes/templates/template_default/jscript/jquery.min.js"%3E%3C/script%3E'));</script>

hosting has nothing to with this part of the equation. you need better support on the ZC side of things.

if you want a good host, try @barco57:

https://geekhost.ca/

seems to know ZC pretty well...

[PortraitArtist]

Thank you for the help.
I think I just install the latest version of ZC and relearn the basics in the process.
Hopefully that will solve this problem.
Thanks again,

[PortraitArtist]

Thank you for the help.
I think I just install the latest version of ZC and relearn the basics in the process.
Hopefully that will solve this problem.
Thanks again,

I need to correct the ZC version I use: it is 1.5.5a
I installed over two years ago and I forget it.

I find the file that has the outdated jQuery version the vulnerability scan has problem with:
html_header.php

This problem will come up sooner or lather to everybody accepting credit cards on ZenCart.
Please see in the original post:

All Cross-Site Scripting vulnerabilities are considered non-compliant by
PCI.
........
Upgrade jQuery to version 3.0.0 or higher. This includes versions of
jQuery used on the root domain, subdomain, or imported/sourced
libraries.

I think correcting the html_header.php file would solve this problem.
I would like to know what is the proper way to change the jquery version?

JQuery Version update in html_header.php file

ZenCart Version updates 1.2.6; 1.3.7; 1.3.9; 1.5.0; 1.5.5a