The following security vulnerabilities have been resolved or mitigated within Build 83:
Implementing HSTS Security Headers on MAE
HTTP Strict-Transport-Security (HSTS) headers are increasingly required by security reviews of web applications.
An HSTS header sent from a web server instructs recipient browsers to NOT connect to the URL domain using HTTP, only over encrypted HTTPS.
NOTE: this header must be used very carefully as there is a risk of denying users access to other applications on the same URL domain which do require use of HTTP.
IIS 10 features a great way of configuring HSTS headers for a 'site', which also incorporates a flag to automatically upgrade HTTP connections to HTTPS.
jQuery Vulnerability - CVE-2020-11022
Vulnerability:
This vulnerability may allow running cross-site scripting (XSS) attacks due to improper parsing in jQuery.htmlPrefilter method.
This vulnerability can be found in jQuery versions greater than, or equal to 1.2 and less than 3.5.
Resolution:
jQuery patch applied.
Note: a fix to the jQuery htmlPrefilter vulnerability can be retrofitted to versions of MooD < 16.085 by including the following JavaScript to all views:
if (typeof jQuery === "function") {
jQuery.htmlPrefilter = function( html ) {
return html;
};
}
This is best achieved by adding the above script to XHTML panels which are applied to all views (ideally using Model Masters).
These changes are made available in Build 85
Comments
0 comments
Please sign in to leave a comment.