0 Replies Latest reply on Jul 23, 2018 12:37 PM by solvitec ecuador

    Security issues

    solvitec ecuador

      Dear, I have a query, my server Orion tells me that I have these security problems, someone has had these problems could tell me how to solve them a little more specifically

       

       

      Non-Secure Session Cookies Identified

      The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.

      Contact the vendor of this web application and request the Secure flag be set on session cookies transmitted over HTTPS.

      SSL Certificate is Self-Signed

      This SSL certificate appears to be issued by a private Certificate Authority (CA). Users will likely receive a security warning if their client software (e.g., web browser) does not trust the issuer of the certificate.

      If this certificate is associated with a service accessible to the general public, you may want to consider acquiring a certificate from a well-known CA. Please note the port associated with this finding. This finding may NOT be originating from port 443, which is what most online testing tools check by default.

      jQuery Core rquickExpr variable with Cross-Site Scripting Vulnerability

      jQuery is vulnerable to Cross-site Scripting (XSS) attacks because the Query() function does not differentiate selectors from HTML in a reliable way. In vulnerable versions, jQuery determines if the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility to build a malicious payload.

      This finding indicates that either the root domain url, sub-domain url, or an imported/sourced version of jQuery is below jQuery version 1.9.0. All three scenarios allow an attacker to execute cross site scripting attacks on the root domain.

      For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).

      Upgrade jQuery to version 1.9.0 or higher. This includes versions of jQuery used on the root domain, subdomain, or imported/sourced libraries.

      For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).

      jQuery Cross-Domain Asynchronous JavaScript and Extensible Markup Language Request Cross-site Scripting Vulnerability

      jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed.

      This finding indicates that either the root domain url, sub-domain url, or an imported/sourced version of jQuery is below jQuery version 3.0. All three scenarios allow an attacker to execute cross site scripting attacks on the root domain.

      For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).

      Upgrade jQuery to version 3.0.0 or higher. This includes versions of jQuery used on the root domain, subdomain, or imported/sourced libraries.

      For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).