1) TLS1.0 enabled 

By default in Password Manager Pro, will allow TLS 1.0, 1.1, and 1.2. Please follow the below steps to disable the TLSv1.0, TLS1.1 and remove weak ciphers.

1. Stop the Password Manager Pro in the services console.

2. Take a backup of a PMP Installation folder and store it in a different location as a backup.

3. Open the server.xml file present inside the <PMP-Home>\conf in Wordpad\Notepad ++ with admin privileges. Please update the below changes for both the connectors

·         Search for the value sslProtocol and replace  "TLS" with sslProtocol="TLSv1.2" 

·         Then search for "ciphers=" and replace with the cipher for TLSv1.2 as mentioned below(with comma separated). You can also use the ciphers mentioned in this article(https://www.openssl.org/docs/man1.0.2/man1/ciphers.html), under sectionTLS v1.2 cipher suites (update the one which starts with TLS)

·         TLS_RSA_WITH_AES_128_CBC_SHA256

·         TLS_RSA_WITH_AES_256_CBC_SHA256

·         TLS_RSA_WITH_AES_128_GCM_SHA256

·         TLS_RSA_WITH_AES_256_GCM_SHA384

4. Please follow the above steps in the other connector below which is for port 7070  and save the file.

5. Now open the gateway,conf file present inside the <PMP_Installation_Directory>conf folder with admin privileges in Wordpad/Notepad ++

·         Search for the value sslProtocols=TLSv1,TLSv1.1,TLSv1.2 and replace with sslProtocols=TLSv1.2 

·         And in cipherSuites= replace with these ciphers 

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

 and then save this file.

6. Now open the postgres_ext.conf  file present inside the <PMP_Installation_Directory>/pgsql/ext_conf folder

7. Then on the bottom of the page, add the below command

·         ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'

·         ssl_prefer_server_ciphers = true

8. Then save the file.

9. Now start the service.

2) Regarding the jQuery Vulnerabilities:

We have our own security framework implementation on top of our application that is using JQuery. This implementation is designed to block all Cross-site scripting, SQL/script injection, and Dos type attacks. We also have URL whitelisting implemented to protect the product and its operational integrity. So we are using this JQuery version with proper safe guards in place. We already working on the process of removing the JQuery libraries from PMP. 

3) Cookies without HttpOnly flag  

We have set the HttpOnly flag to all important cookies such as JSESSIONID, JSESSIONIDSSO etc. But, we din't purposefully set the HttpOnly flag to this cookie, since we need to read this cookie from client side and send it to the server side for CSRF validation. We do have a XSS filter in-built in our application so it is not possible to do a client side scripting to read this cookie. Even if the attacker gain the value of this cookie, it is not possible do privilege escalation or any unauthorized execution. Since the flag is not set as HttpOnly, the scanning tool shows as a vulnerability. However, you can treat this as a Harmless alert.

4) HTML form without CSRF protection 

HTML form without CSRF protection - False positive.

We have CSRF protection where ever it is required.