Magento not fully patched?

In the light of this security advice: https://helpx.adobe.com/security/products/magento/apsb20-02.html
Checked https://www.magereport.com/scan/?s=https://bb.qsl-webshop.com/ (with Magento 1.0 end of lifetime low risk site)
Not secure connection: -https://195.160.161.138/
No direct IP related detections: https://www.virustotal.com/gui/ip-address/195.160.161.138/relations
Consider also: https://sitereport.netcraft.com/?url=https%3A%2F%2Fbb.qsl-webshop.com%2Fbb_pl_pl%2Fcustomer%2Faccount%2Flogin%2F

JQuery vulnerability:

jquery 1.12.4 Found in -https://bb.qsl-webshop.com/static/version1580133709/frontend/Qsl/bb/pl_PL/jquery.min.js
Vulnerability info:
Medium 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
knockout 3.4.2 Found in -https://bb.qsl-webshop.com/static/version1580133709/frontend/Qsl/bb/pl_PL/knockoutjs/knockout.min.js
Vulnerability info:
Medium XSS injection point in attr name binding for browser IE7 and older

header insecurity

7.8
CVE-2018-16843
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file.
7.8
CVE-2018-16844
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file.
7.8
CVE-2018-16845
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
5.8
CVE-2019-20372
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
4.3
&

Query JavaScript Library, headers - 1.12.4 7.2 NODEJS:328 Cross-Site Scripting (XSS) 7.2 NODEJS:329 XSS via improper selector detection 7.2 NODEJS:330 Exceeding Stack Call Limit DoS 5.3

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Hi Jose696,

Site is a website with Word Press CMS all-right, but it is not that bad security-wise (es una web bonita ;).
Neatly configured for user enumeration as well as directory listing both set to disabled.

Linked site OK: Linked Sites
Google Safe Browse checks have been performed on each of the linked sites.
Links with poor reputation could be a threat to users of the site. Hosting and location are also included in the results.

Externally Linked Host Hosting Provider Country
-www.dmca.com Microsoft Corporation Unite Google Safebrowsing rates it as OK.

Hints toward imrovement: https://webhint.io/scanner/d1f2dfff-c35d-4dd9-867f-fcf6b64e7451
Just security header for access-control-allow-origin being returned.

Retirable jQuery library detected: jquery 1.12.4-wp Found in -https://tuwebdecero.com/wp-content/cache/busting/1/wp-includes/js/jquery/jquery-1.12.4-wp.js
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution

Blocking users should block 34% of trackers and 34 % of ads on website according to ZenMate Web Firewall.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Is this problem gone now? I have just created my shop on Magneto 2, and I wouldn’t want to have such problems. This was a while ago, and I hope that it’s solved because I am ready to start marketing my shop. I am sure that I will be successful, I just need to be seen by my customers. I will probably have to use automated marketing like the one from https://amasty.com/marketing-automation-for-magento-2.html. It makes sense, I don’t want to spend too much time on something like that, I want to be improving my product, and my shop.

The webshop is no longer on outdated Magento 0.1.
But kicks up a scan error: “HTTP 599: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small”
Server software still vulnerable: https://sitecheck.sucuri.net/results/https/bb.qsl-webshop.com

DNS address cannot be resolved, so site cannot be visited.
Redirect should go here: hxtps://bb.qsl-webshop.com/bb_pl_pl/customer/account/login/
Here issues: https://retire.insecurity.today/#!/scan/a68b3b6cb7e4f827e9d583637e36b9a19ef315e813fb1c67ee800e2e3c686ec6

DOM-XSS scan results:
Results from scanning URL: -https://bb.qsl-webshop.com/bb_pl_pl/customer/account/login/
Number of sources found: 0
Number of sinks found: 14

Re: Results from scanning URL: -https://bb.qsl-webshop.com/static/version1606221755/_cache/merged/d13968be43364492befa741d82d06710.min.js
Number of sources found: 29
Number of sinks found: 10

 main.min.js:2 Error: Script error for: Magento_GoogleTagManager/js/google-analytics-universal -http://requirejs.org/docs/errors.html#scripterror at makeError (d13968b……d82d06710.min.js:16) at HTMLScriptElement.onScriptError (d13968b……82d06710.min.js:112) compat.min.js:1 Fallback to JQueryUI Compat activated. Your store is missing a dependency for a jQueryUI widget. Identifying and addressing the dependency will drastically improve the performance of your site.

DevTools failed to load SourceMap: Could not load content for -https://bb.qsl-webshop.com/static/version1606221755/frontend/Qsl/bb/pl_PL/Magento_PageBuilder/js/resource/jarallax/jarallax.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for -https://bb.qsl-webshop.com/static/version1606221755/frontend/Qsl/bb/pl_PL/Magento_PageBuilder/js/resource/jarallax/jarallax-video.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE


Errors and warnings found within the browser’s developer console (Shift+Ctrl+I).

See: -https://bb.qsl-webshop.com/bb_pl_pl/imprint

polonus