Hi evryone,
Here are 2 repports of Nessus about Duplicati:
JQuery 1.2 < 3.5.0 Multiple XSS
Description
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.
Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.
Solution
Upgrade to JQuery version 3.5.0 or later.
AND
Web Server Generic Cookie Injection
Description
The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a ‘session fixation’ attack using this mechanism.
Please note that :
-
Nessus did not check if the session fixation attack is feasible.
-
This is not the only vector of session fixation.
See Also
http://projects.webappsec.org/w/page/13246960/Session%20Fixation
The Jquery is quiet simple to fix but the other one is more complexe. Do you think it could be a problem for enterprise use?
Kind regards