Security issue: Web Server Generic Cookie Injection and JQuery 1.2 < 3.5.0 Multiple XSS

Hi evryone,

Here are 2 repports of Nessus about Duplicati:

JQuery 1.2 < 3.5.0 Multiple XSS


According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.

Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.


Upgrade to JQuery version 3.5.0 or later.


Web Server Generic Cookie Injection


The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a ‘session fixation’ attack using this mechanism.

Please note that :

  • Nessus did not check if the session fixation attack is feasible.

  • This is not the only vector of session fixation.

See Also

The Jquery is quiet simple to fix but the other one is more complexe. Do you think it could be a problem for enterprise use?

Kind regards

I guess that would depend on your security tolerance. Definitely don’t expose the Duplicati web UI to the public internet, and within an enterprise you could restrict access to the web UI to only certain source IPs. Or perhaps put it behind a WAF.

But honestly I don’t know if I’d use Duplicati in the enterprise anyway. It’s good for home use but for enterprises there are much more robust backup solutions available.