CxScanReport 2023-11-01 001554

Carelon-policy
Code Security Report
0581fb6b-10fb-42c5-a550-d05e4213a294 | 2023-11-01T00:15:41.331Z
1/109
Table of Contents
Executive Summary
Scan Summary
Scan Results
SAST
SCA
2/109
Executive Summary
Total Vulnerabilities High Med Low Info
178 30 25 100 23
Vulnerabilities per Scanner
120
97
90
60
30
30 25
23
3
0 0 0
0
SAST SCA
Scan Information
Branch name: AEM-Carelon-Sites

Project name: Carelon-policy
Scanners: SAST, SCA

Risk level: Low
Result triage: SAST:

Confirmed 0.8%
Not Exploitable 4%
Proposed Not Exploitable 0%
To Verify 95.2%
Urgent 0%
SCA:
Confirmed 0%
Not Exploitable 0%
Proposed Not Exploitable 0%
To Verify 100%
Urgent 0%
3/109
Scan Summary
Scan ID: 083ead84-8361-402a-ad51-25edadf09e6b
Languages: JavaScript, Java, JavaScript
Number of scanners: 2
Completed date: 2023-10-24 16:40:40.442426 +0000 UTC
Scanner types: SAST, SCA
4/109
ASD STIG 4.10
Category
APSC-DV-001620 - CAT II The application must implement replay-resistant

- - 1
authentication mechanisms for network access to privileged accounts.
APSC-DV-002330 - CAT II The application must protect the confidentiality and

- - 1
integrity of stored information when required by DoD policy or the information owner.
APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of
- - 1
Service (DoS) attacks against itself or other information systems.
APSC-DV-002510 - CAT I The application must protect from command injection. 3 - -
APSC-DV-002530 - CAT II The application must validate all input. - - 1
APSC-DV-002560 - CAT I The application must not be subject to input handling

- 1 9
vulnerabilities.
5/109
CWE top 25
Category
CWE top 25 3 1 11
6/109
FISMA 2014
Category
Access Control - - 1
Configuration Management 3 1 -
Identification And Authentication - - 5
System And Communications Protection - - 2
System And Information Integrity - - 39
7/109
MOIS(KISA) Secure Coding 2021
Category
MOIS(KISA) Code error - - 1
MOIS(KISA) Security Functions - - 7
MOIS(KISA) Verification and representation of input data 3 1 31
8/109
NIST SP 800-53
Category
AC-3 Access Enforcement (P1) - - 6
AU-9 Protection of Audit Information (P1) - - 2
SC-18 Mobile Code (P2) - - 5
SC-5 Denial of Service Protection (P1) - - 1
SC-8 Transmission Confidentiality and Integrity (P1) - - 2
SI-10 Information Input Validation (P1) 3 1 37
9/109
OWASP ASVS
Category
V01 Architecture, Design and Threat Modeling - - 37
V03 Session Management - - 2
V04 Access Control - - 6
V05 Validation, Sanitization and Encoding 3 1 31
V07 Error Handling and Logging - - 2
V09 Communication - - 1
V14 Configuration - 1 3
10/109
OWASP Mobile Top 10 2016
Category
M7-Client Code Quality - - 2
11/109
OWASP Top 10 2010
Category
A10-Unvalidated Redirects and Forwards - - 26
A1-Injection - 1 -
12/109
OWASP Top 10 2013
Category
A10-Unvalidated Redirects and Forwards - - 26
A1-Injection 3 1 -
A6-Sensitive Data Exposure - - 1
A9-Using Components with Known Vulnerabilities - - 37
13/109
OWASP Top 10 2017
Category
A1-Injection 3 1 2
A3-Sensitive Data Exposure - - 1
A6-Security Misconfiguration - - 4
A9-Using Components with Known Vulnerabilities - - 37
14/109
OWASP Top 10 2021
Category
A1-Broken Access Control - - 31
A3-Injection 3 1 -
A4-Insecure Design - - 3
A5-Security Misconfiguration - - 2
A6-Vulnerable and Outdated Components - - 37
A7-Identification and Authentication Failures - 1 2
A8-Software and Data Integrity Failures - - 5
A9-Security Logging and Monitoring Failures - - 2
15/109
PCI DSS v3.2.1
Category
PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management - - 1
PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 3 1 2
16/109
SANS top 25
Category
SANS top 25 3 1 11
17/109
Scan Results
SAST
120 0 0 97 23
JavaScript
Client_DOM_Code_Injection
Description: The method @DestinationMethod embeds untrusted data in generated output with @DestinationElement, at line
@DestinationLine of @DestinationFile. This untrusted data is embedded into the output without proper
sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page. The attacker
can inject the malicious payload into the victim client, via external input @SourceElement. This is then processed
by the client in the @SourceMethod method, at line @SourceLine of @SourceFile. The client evaluates the code
and executes it.
Query Path: JavaScript/JavaScript_High_Risk/Client_DOM_Code_Injection
Total Flows: 3
NEW
State: Not Exploitable
Status: NEW
Group name: JavaScript_High_Risk
First scan id: 5fdd860e-b6a7-4340-9cd0-726712cd687d
Found date: 2023-10-24 16:39:42 +0000 UTC

First found date: 2023-10-24 16:39:26 +0000 UTC
Source element: href

Source file: /carelon-sites/fe-clientlibs/src/serveco/components/explore-solution/explore-solution.js
Source method: Lambda

Source line: 646
Destination element: attr
Destination file: /carelon-sites/fe-clientlibs/src/serveco/components/explore-solution/explore-solution.js

Destination method: Lambda
Destination line: 646

Compliances: FISMA 2014, OWASP Top 10 2017, PCI DSS v3.2.1, SANS top 25, NIST SP 800-53, OWASP
Top 10 2013, OWASP Top 10 2021, CWE top 25, MOIS(KISA) Secure Coding 2021, OWASP
ASVS, ASD STIG 4.10
CWE: CWE-94
18/109
NEW
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: explorepaginationNavHandler

Source line: 683

Destination method: explorepaginationNavHandler

ASVS, ASD STIG 4.10
CWE: CWE-94
NEW
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC


Source method: explorePaginationRender

Source line: 641

Destination method: explorePaginationRender

ASVS, ASD STIG 4.10
CWE: CWE-94
19/109
Java
Missing_HSTS_Header
Description: The web-application does not define an HSTS header, leaving it vulnerable to attack.
Query Path: Java/Java_Medium_Threat/Missing_HSTS_Header
Total Flows: 1
NEW

Status: NEW
Group name: Java_Medium_Threat

First scan id: 63ae6e3b-5ba9-427e-89a3-4df7eee02441
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: jsp_showHideCheck
Source file: /carelon-

sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/structure/arti
cle-page/article-dialog-lib/showHideCheck/showHideCheck.jsp
Source line: 1
Compliances: OWASP ASVS, OWASP Top 10 2021
CWE: CWE-346
20/109
Missing_X_Frame_Options
Description: The web-application does not properly utilize the "X-FRAME-OPTIONS" header to restrict embedding web-pages
inside of a frame.
Query Path: Java/Java_Low_Visibility/Missing_X_Frame_Options
Total Flows: 1
NEW
State: To Verify
Status: NEW
Group name: Java_Low_Visibility

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: beans

Source file: /carelon-sites/ingenio/core/src/main/java/com/anthem/ingenio/core/beans/BlogBean.java
Source line: 1
Compliances: OWASP Top 10 2021, ASD STIG 4.10, NIST SP 800-53, OWASP ASVS, OWASP Top 10 2017
CWE: CWE-1021
21/109
Missing_Content_Security_Policy
Description: A Content Security Policy is not explicitly defined within the web-application.
Query Path: Java/Java_Low_Visibility/Missing_Content_Security_Policy
Total Flows: 1
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: setContentType
sites/ingenio/core/src/main/java/com/anthem/ingenio/core/servlets/RecaptchaVerifyServl
et.java
Source method: setResponse
Source line: 144

Compliances: OWASP ASVS, OWASP Top 10 2017, OWASP Top 10 2021
CWE: CWE-346
22/109
Serializable_Class_Containing_Sensitive_Data
Description: The field @SourceElement in @SourceFile in line @SourceLine, which contains sensitive data, is inserted into a
Serializable object, @DestinationFile, in line @DestinationLine, into the field @DestinationElement.
Query Path: Java/Java_Low_Visibility/Serializable_Class_Containing_Sensitive_Data
Total Flows: 1
NEW
State: To Verify
Status: NEW

First scan id: feb031bf-9686-4c2e-aadc-7d87130e1725
Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: recaptchaSecretKey

sites/ingenio/core/src/main/java/com/anthem/ingenio/core/config/impl/IngenioEmailAPIC
onfigServiceImpl.java
Source line: 31
Destination element: IngenioEmailAPIConfigServiceImpl
Destination file: /carelon-
sites/ingenio/core/src/main/java/com/anthem/ingenio/core/config/impl/IngenioEmailAPIC
onfigServiceImpl.java
Compliances: OWASP Top 10 2017, OWASP Top 10 2021, MOIS(KISA) Secure Coding 2021, OWASP ASVS,
OWASP Top 10 2013
CWE: CWE-499
23/109
Incorrect_Permission_Assignment_For_Critical_Resources
Description: A file is created on the file system by @DestinationElement in @DestinationFile at line @DestinationLine with
potentially dangerous permissions.
Query Path: Java/Java_Low_Visibility/Incorrect_Permission_Assignment_For_Critical_Resources
Total Flows: 1
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: writer

sites/serveco/core/src/test/java/com/anthem/serveco/core/servlets/SiteMapFeedServletC
arelonTest.java
Source line: 55
Compliances: CWE top 25, FISMA 2014, MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP ASVS,
OWASP Top 10 2017, OWASP Top 10 2021, SANS top 25
CWE: CWE-732
24/109
Improper_Resource_Access_Authorization
Description: An I\\O action occurs at @DestinationFile in @DestinationLine without authorization checks.
Query Path: Java/Java_Low_Visibility/Improper_Resource_Access_Authorization
Total Flows: 5
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: get
sites/serveco/core/src/main/java/com/anthem/serveco/core/servlets/SiteMapFeedServlet
Carelon.java
Source method: isDisplayByPageProperty
Source line: 349
OWASP Top 10 2021, SANS top 25
CWE: CWE-285
25/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: get
Carelon.java
Source method: isHiddenByPageProperty
Source line: 341

CWE: CWE-285
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: get

Carelon.java
Source method: isHiddenByPageTemplate
Source line: 317
CWE: CWE-285
26/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: get
Carelon.java
Source method: excludeCurrentPage
Source line: 305
CWE: CWE-285
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: get

Carelon.java
Source method: excludeCurrentPage
Source line: 303
CWE: CWE-285
27/109
Log_Forging
Description: Method @SourceMethod at line @SourceLine of @SourceFile gets user input from element @SourceElement. This
element’s value flows through the code without being properly sanitized or validated, and is eventually used in
writing an audit log in @DestinationMethod at line @DestinationLine of @DestinationFile. This may enable Log
Forging.
Query Path: Java/Java_Low_Visibility/Log_Forging
Total Flows: 2
NEW
State: Confirmed
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: toString
et.java
Source method: sanitizeInputStreamToObject
Source line: 133
Destination element: trace

et.java
Destination method: verifyUserResponse
Compliances: NIST SP 800-53, OWASP ASVS, OWASP Mobile Top 10 2016, OWASP Top 10 2017, OWASP
Top 10 2021, PCI DSS v3.2.1, ASD STIG 4.10, FISMA 2014
CWE: CWE-117
28/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: getInputStream

et.java
Source method: fetchRequestPayload
Source line: 118
Destination element: trace

et.java
Destination method: verifyUserResponse
Compliances: NIST SP 800-53, OWASP ASVS, OWASP Mobile Top 10 2016, OWASP Top 10 2017, OWASP
Top 10 2021, PCI DSS v3.2.1, ASD STIG 4.10, FISMA 2014
CWE: CWE-117
29/109
Improper_Resource_Shutdown_or_Release
Description: The application's @SourceMethod method in @SourceFile defines and initializes the @SourceElement object at
@SourceLine. This object encapsulates a limited computing resource, such as open file streams, database
connections, or network streams. This resource is not properly closed and released in all situations.
Query Path: Java/Java_Low_Visibility/Improper_Resource_Shutdown_or_Release
Total Flows: 1
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: PrintWriter
arelonTest.java
Source line: 55
Destination element: writer

arelonTest.java
Destination method: testDoGet
Compliances: MOIS(KISA) Secure Coding 2021, NIST SP 800-53, ASD STIG 4.10
CWE: CWE-404
30/109
Improper_Transaction_Handling
Description: The application's @SourceMethod method in @SourceFile creates and opens a connection to the database, and
enlists it in a transaction. Though the application wraps the connection in a `try { }` block to handle exceptions,
the database transaction is not always rolled back on errors.
Query Path: Java/Java_Low_Visibility/Improper_Transaction_Handling
Total Flows: 1
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: try
sites/serveco/core/src/main/java/com/anthem/serveco/core/servlets/IncludeXmlSitemapS
ervlet.java
Source method: doGet
Source line: 87
Compliances: PCI DSS v3.2.1

CWE: CWE-460
31/109
JavaScript
Client_Potential_Code_Injection
Description: The method @DestinationMethod embeds untrusted data in generated output with @DestinationElement, at line
@DestinationLine of @DestinationFile. This untrusted data is embedded into the output without proper
sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page. The attacker
can inject the malicious payload into the victim client, via external input @SourceElement. This is then processed
by the client in the @SourceMethod method, at line @SourceLine of @SourceFile. The client evaluates the code
and executes it.
Query Path: JavaScript/JavaScript_Medium_Threat/Client_Potential_Code_Injection
Total Flows: 1
NEW

Status: NEW
Group name: JavaScript_Medium_Threat
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: attr
sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/content/list/v
1/list/clientlibs/js/showhide.js
Source method: getTabType
Source line: 19
Destination element: eval

sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/content/list/v
1/list/clientlibs/js/showhide.js
Destination method: getTabType
Compliances: PCI DSS v3.2.1, CWE top 25, MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top
10 2013, FISMA 2014, SANS top 25, OWASP ASVS, OWASP Top 10 2010, OWASP Top 10
2017, ASD STIG 4.10, OWASP Top 10 2021
CWE: CWE-94
32/109
Client_JQuery_Deprecated_Symbols
Description: Method @DestinationMethod in @DestinationFile, at line @DestinationLine, calls an obsolete API,

@DestinationElement. This has been deprecated, and should not be used in a modern codebase.
Query Path: JavaScript/JavaScript_Low_Visibility/Client_JQuery_Deprecated_Symbols
Total Flows: 1
NEW
State: To Verify
Status: NEW
Group name: JavaScript_Low_Visibility
First scan id: 38da4acb-56f8-4ba2-91de-05746d59e256

Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: type
sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/content/zip-
locator-widget/v2/carelon-herobanner/clientlibs/js/provider-search.js

Source line: 102
Compliances: OWASP ASVS, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10 2021
CWE: CWE-477
33/109
Client_DOM_Open_Redirect
Description: The potentially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a
destination URL by @DestinationElement in @DestinationFile at line @DestinationLine, potentially allowing
attackers to perform an open redirection.
Query Path: JavaScript/JavaScript_Low_Visibility/Client_DOM_Open_Redirect
Total Flows: 6
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/content/provi
der-results/clientlibs/js/provider-results.js
Source method: share
Source line: 1094
Destination element: location
Destination method: share

Compliances: MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP ASVS, OWASP Top 10 2010,
OWASP Top 10 2013, OWASP Top 10 2021, FISMA 2014
CWE: CWE-601
34/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: share
Source line: 1094

Destination method: share
CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC
der-details/clientlibs/js/provider-details.js
Source method: Cx7cee2a69
Source line: 689

Destination method: Cx7cee2a69
CWE: CWE-601
35/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: Cx7cee2a69
Source line: 689

Destination method: Cx7cee2a69
CWE: CWE-601
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 71
Destination element: href
CWE: CWE-601
36/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 32


CWE: CWE-601
37/109
Potential_Clickjacking_on_Legacy_Browsers
Description: The application does not protect the web page @DestinationFile from clickjacking attacks in legacy browsers, by
using framebusting scripts.
Query Path: JavaScript/JavaScript_Low_Visibility/Potential_Clickjacking_on_Legacy_Browsers
Total Flows: 1
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: CxJSNS_582b9578

Source file: /carelon-sites/fe-clientlibs/src/commons/components/fwc-alert/fwc-alert.hbs
Source line: 1
Compliances: CWE top 25, MOIS(KISA) Secure Coding 2021, OWASP ASVS, OWASP Top 10 2021, SANS top
25, ASD STIG 4.10
CWE: CWE-693
38/109
Missing_CSP_Header
Description: A Content Security Policy is not explicitly defined within the web-application.
Query Path: JavaScript/JavaScript_Server_Side_Vulnerabilities/Missing_CSP_Header
Total Flows: 1
NEW
State: To Verify
Status: NEW
Group name: JavaScript_Server_Side_Vulnerabilities
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: CxOutput
Source file: /carelon-sites/fe-clientlibs/src/commons/components/fwc-alert/fwc-alert.hbs
Source method: fwc_alert_HBTemplate
Source line: 2
Compliances: OWASP ASVS, OWASP Top 10 2021
CWE: CWE-346
39/109
Unprotected_Cookie
Description: The web application's @SourceMethod method creates a cookie @SourceElement, at line @SourceLine of
@SourceFile, and returns it in the response. However, the application is not configured to automatically set the
cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.
Query Path: JavaScript/JavaScript_Server_Side_Vulnerabilities/Unprotected_Cookie
Total Flows: 2
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: set
Source file: /carelon-sites/fe-clientlibs/src/commons/js/analytics.js
Source method: Cxa639c2b5
Source line: 78
Compliances: FISMA 2014, NIST SP 800-53, OWASP ASVS, OWASP Top 10 2021
CWE: CWE-614
40/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: cookie
Source file: /carelon-sites/fe-clientlibs/src/commons/js/cookie.js
Source method: Cx58b12ee5

Source line: 7
Compliances: FISMA 2014, NIST SP 800-53, OWASP ASVS, OWASP Top 10 2021
CWE: CWE-614
41/109
Unsafe_Use_Of_Target_blank
Description: Using @SourceElement at line @SourceLine of @SourceFile, without correctly setting the "rel" attribute, or
disassociating the new window from its parent, is an unsafe way of opening a new window.
Query Path: JavaScript/JavaScript_Low_Visibility/Unsafe_Use_Of_Target_blank
Total Flows: 11
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a data-sly-use.linkFormatter="${'com.anthem.platform.core.models.URLFormatterModel'

@url=properties.assetPath}" data-sly-test="${properties.enableDownload=='true'}"
href="${linkFormatter.formattedURL}" target="_blank" class="download-btn" aria-
label="${properties.ctaAriaLabel}" data-analytics-name="${properties.ctadisplaytitle}" data-
analytics-context="Article Title">

sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/content/social
-media-icons/social-media-icons.html
Source line: 13
Compliances: FISMA 2014, NIST SP 800-53
CWE: CWE-1022
42/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a href="${dataItem[`fields`][`_str.url`]}" target="_blank">

sites/ingenio/ui.apps/src/main/content/jcr_root/apps/carelonrx/components/content/sear
ch-results/clientlibs/js/search-results.js
Source line: 56

CWE: CWE-1022
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a href="${responseData[`resultset`][`documents`][0][`fields`][`_str.url`]}" target="_blank">

Source line: 42

CWE: CWE-1022
43/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a data-sly-use.linkFormatter="${'com.anthem.platform.core.models.URLFormatterModel'
@url=properties.assetPath}" data-sly-test="${properties.enableDownload=='true'}"
href="${linkFormatter.formattedURL}" target="_blank" class="download-btn" aria-
label="${properties.ctaAriaLabel}" data-analytics-name="${properties.ctadisplaytitle}" data-
analytics-context="Article Title">

sites/ingenio/ui.apps/src/main/content/jcr_root/apps/carelonrx/components/content/artic
le-title/article-title.html
Source line: 13

CWE: CWE-1022
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a class="fwc-link-large {{#if section.icon}}fwc-link-pdf{{/if}}" href="{{section.linkUrl}}" {{#if
section.newTab}}target="_blank" {{/if}}>
Source file: /carelon-sites/fe-clientlibs/src/serveco/components/child-page-nav-com/child-page-nav-

com.hbs
Source line: 31
CWE: CWE-1022
44/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a class="child-nav-link{{#if section.icon}} child-nav-icon{{/if}}" href="{{section.linkUrl}}" {{#if
section.newTab}}target="_blank" {{/if}}>
Source file: /carelon-sites/fe-clientlibs/src/serveco/components/child-page-nav-com/child-page-nav-
com.hbs
Source line: 12

CWE: CWE-1022
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: <a href="{{pageDetails.path}}" target="_blank" class="nav-link">
Source file: /carelon-sites/fe-clientlibs/src/commons/demo-templates/component-index.handlebars

Source line: 90
CWE: CWE-1022
45/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 78
CWE: CWE-1022
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 66

CWE: CWE-1022
46/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 54
CWE: CWE-1022
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 42

CWE: CWE-1022
47/109
Client_Use_Of_Iframe_Without_Sandbox
Description: The application employs an HTML iframe at whose contents are not properly sandboxed
Query Path: JavaScript/JavaScript_Low_Visibility/Client_Use_Of_Iframe_Without_Sandbox
Total Flows: 1
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: iframe___ce68061a

sites/ingenio/ui.apps/src/main/content/jcr_root/apps/carelonrx/components/content/hero
-overlay/player-embed.html
Source method: iframe___ce68061a
Source line: 49
OWASP Top 10 2021, SANS top 25, ASD STIG 4.10, CWE top 25
CWE: CWE-829
48/109
Client_DOM_Open_Redirect
Query Path: JavaScript/JavaScript_Low_Visibility/Client_DOM_Open_Redirect
Total Flows: 13
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC


Source file: /carelon-sites/fe-clientlibs/src/serveco/components/search-results/search-results.js
Source line: 496

Destination element: open
Destination file: /carelon-sites/fe-clientlibs/src/serveco/components/search-results/search-results.js

Compliances: FISMA 2014, MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP ASVS, OWASP Top 10
2010, OWASP Top 10 2013, OWASP Top 10 2021
CWE: CWE-601
49/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 450


CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: anony_0d9157ae

Source line: 421

Destination method: anony_0d9157ae

CWE: CWE-601
50/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 294

CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 281



CWE: CWE-601
51/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC


sites/ingenio/ui.apps/src/main/content/jcr_root/apps/carelonrx/components/content/pagi
nation/clientlibs/js/pagination.js
Source line: 99

CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 99


CWE: CWE-601
52/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC


Source file: /carelon-sites/fe-clientlibs/src/serveco/components/pagination/pagination.js
Source method: Cx8e10786e
Source line: 82
Destination file: /carelon-sites/fe-clientlibs/src/serveco/components/pagination/pagination.js

Destination method: Cx8e10786e
CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: Cx8e10786e

Source line: 82

Destination method: Cx8e10786e
CWE: CWE-601
53/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 73

CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 73


CWE: CWE-601
54/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: Cxf24c3cd3

Source line: 56

Destination method: Cxf24c3cd3
CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: Cxf24c3cd3

Source line: 56

Destination method: Cxf24c3cd3
CWE: CWE-601
55/109
Client_Potential_DOM_Open_Redirect
Query Path: JavaScript/JavaScript_Low_Visibility/Client_Potential_DOM_Open_Redirect
Total Flows: 7
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source file: /carelon-sites/fe-clientlibs/src/serveco/components/header-com/header-com.js

Source line: 46
Destination element: url

Destination file: /carelon-sites/fe-clientlibs/src/serveco/components/header-com/header-com.js

Compliances: OWASP ASVS, OWASP Top 10 2010, OWASP Top 10 2013, OWASP Top 10 2021, ASD STIG
4.10, FISMA 2014, MOIS(KISA) Secure Coding 2021, NIST SP 800-53
CWE: CWE-601
56/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 46
Destination element: url

Destination method: anony_6fabe5c5

CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source method: Cxd4b8d32c
Source line: 1311


CWE: CWE-601
57/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: Cxd4b8d32c

Source line: 1311


CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


sites/ingenio/ui.apps/src/main/content/jcr_root/apps/carelonrx/components/structure/he
ader/clientlibs/js/header.js

Source line: 21
Destination element: BinaryExpr


CWE: CWE-601
58/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 21


CWE: CWE-601
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 21


CWE: CWE-601
59/109
Client_Hardcoded_Domain
Description: The JavaScript file imported in @SourceElement in @SourceFile at line @SourceLine is from a remote domain,
which may allow attackers to replace its contents with malicious code.
Query Path: JavaScript/JavaScript_Low_Visibility/Client_Hardcoded_Domain
Total Flows: 3
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: "https://www.google.com/recaptcha/api.js"

sites/ingenio/ui.apps/src/main/content/jcr_root/apps/carelonrx/components/content/subs
cription-form/subscription-form.html
Source method: script___21695b9d
Source line: 127
Compliances: CWE top 25, MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP ASVS, OWASP Top 10
2021, SANS top 25
CWE: CWE-829
60/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: "https://wec-assets.terminus.services/734253b2-642b-4e2f-b20d-63965ca45600/t.js"

sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/structure/arti
cle-page/head.html
Source method: script___34ae191c
Source line: 28
2021, SANS top 25
CWE: CWE-829
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: "https://wec-assets.terminus.services/734253b2-642b-4e2f-b20d-63965ca45600/t.js"

sites/serveco/ui.apps/src/main/content/jcr_root/apps/serveco/components/structure/pag
e/head.html
Source method: script___de50d002

Source line: 23
2021, SANS top 25
CWE: CWE-829
61/109
Client_JQuery_Deprecated_Symbols
Description: Method @DestinationMethod in @DestinationFile, at line @DestinationLine, calls an obsolete API,

@DestinationElement. This has been deprecated, and should not be used in a modern codebase.
Query Path: JavaScript/JavaScript_Low_Visibility/Client_JQuery_Deprecated_Symbols
Total Flows: 36
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC
Source element: context


Source line: 382
Compliances: OWASP Top 10 2021, OWASP ASVS, OWASP Top 10 2013, OWASP Top 10 2017
CWE: CWE-477
62/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: trim

cription-form/clientlibs/js/subscription-form.js

Source line: 103
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: getDataByFilters

Source line: 1209
CWE: CWE-477
63/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 209
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 333
CWE: CWE-477
64/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 168
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source method: getSearchResultData

Source line: 879
CWE: CWE-477
65/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 172
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 335
CWE: CWE-477
66/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 186
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 83
CWE: CWE-477
67/109
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 877

CWE: CWE-477
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 166
CWE: CWE-477
68/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 184
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 81
CWE: CWE-477
69/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 162
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 226
CWE: CWE-477
70/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 125
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 127
CWE: CWE-477
71/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 330
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 189

CWE: CWE-477
72/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 223

CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 221
CWE: CWE-477
73/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 205

CWE: CWE-477
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 203
CWE: CWE-477
74/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 228

CWE: CWE-477
NEW
State: To Verify
Status: NEW
Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 86
CWE: CWE-477
75/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 328
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 71
CWE: CWE-477
76/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source method: anony_6fabe5c5
Source line: 189
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source line: 104

CWE: CWE-477
77/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC


Source method: getDataByFilters
Source line: 1211
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 191
CWE: CWE-477
78/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC



Source line: 26
CWE: CWE-477
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source line: 91
CWE: CWE-477
79/109
NEW
State: To Verify
Status: NEW

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: isArray
Source file: /carelon-sites/fe-clientlibs/src/serveco/components/subrogation-questionnaire-

form/subrogation-questionnaire-form.js
Source method: find
Source line: 1045
CWE: CWE-477
80/109
SCA
58 30 25 3 0
Vulnerable packages (58)
Npm-debug-2.6.9
NEW | 1333
State: To Verify
Status: NEW
First scan id: d0d36468-8514-4da1-bc15-4a0626cf88c1
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 2.6.9
Outdated: Yes
CWE: CWE-1333
CVE: Cx8bc4df28-fcf5
Description: In NPM `debug`, the ènable` function accepts a regular expression from user input without
escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack
on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service).
This is a different issue than CVE-2017-16137.
Npm-debug-2.6.9
NEW | 401
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 2.6.9
Outdated: Yes
CWE: CWE-401
CVE: Cx89601373-08db
Description: NPM `debug` prior to 4.3.0 has a Memory Leak when creating `debug` instances inside a
function which can have a significant impact in the Availability. This happens since the function
`debug` in the file `src/common.js` does not free up used memory.
81/109
Npm-debug-3.2.7
NEW | 401
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 3.2.7
Outdated: Yes
CWE: CWE-401
CVE: Cx89601373-08db
Description: NPM `debug` prior to 4.3.0 has a Memory Leak when creating `debug` instances inside a
function which can have a significant impact in the Availability. This happens since the function
`debug` in the file `src/common.js` does not free up used memory.
Npm-debug-3.2.7
NEW | 1333
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 3.2.7
Outdated: Yes
CWE: CWE-1333
82/109
Npm-debug-4.3.4
NEW | 1333
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 4.3.4
Outdated: No
CWE: CWE-1333
Npm-decode-uri-component-0.2.2
NEW | 20
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 0.2.2
Outdated: Yes
CWE: CWE-20
CVE: CVE-2022-38900
Description: decode-uri-component is vulnerable to Improper Input Validation resulting in DoS.
83/109
Npm-inflight-1.0.6
NEW | 772
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 1.0.6
Outdated: No
CWE: CWE-772
CVE: Cxdca8e59f-8bfe
Description: In NPM ìnflight` there is a Memory Leak because some resources are not freed correctly after
being used. It appears to affect all versions, as the issue was not addressed and no fix is
found. NOTE: In the meantime, `logdna-agent`, a package that depends on ìnflight`, has
merged a commit to address this solely in their package (so it should be fixed in `logdna-
agent` in versions 1.6.5 and later). `Node-glob`, a package that also depends on ìnflight`, was
also planning to address this by not using ìnflight` after version 8 is released, but it is still
being used.
Npm-merge-1.2.1
NEW | 1321
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 1.2.1
Outdated: Yes
CWE: CWE-1321
CVE: CVE-2020-28499
Description: Package merge before 2.1.1 is vulnerable to Prototype Pollution via _recursiveMerge .
84/109
Npm-node-sass-6.0.1
NEW | 125
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-125
CVE: CVE-2017-12963
Description: There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass leading to a
remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains
exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24).
Maven-org.apache.jackrabbit:oak-core-1.4.1
NEW | 212
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 1.4.1
Outdated: Yes
CWE: CWE-212
CVE: CVE-2020-1940
Description: The optional initial password change and password expiration features present in Apache
Jackrabbit Oak through 1.22.0 are prone to a sensitive information disclosure vulnerability.
The code mandates the changed password to be passed as an additional attribute to the
credentials object but does not remove it upon processing during the first phase of the
authentication. In combination with additional, independent authentication mechanisms, this
may lead to the new password being disclosed. It has also been fixed in previously affected
versions via release (1.4.26, 1.6.20, 1.8.20, 1.10.8).
85/109
Npm-node-sass-6.0.1
NEW | 416
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-416
CVE: CVE-2018-11499
Description: A Use-After-Free vulnerability exists in "handle_error()" in "sass_context.cpp" in LibSass 3.4.x
and 3.5.x through 3.5.4 that could be leveraged to cause a Denial of Service (application crash)
or possibly unspecified other impact.
Npm-node-sass-6.0.1
NEW | 476
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-476
CVE: CVE-2018-11694
Description: An issue was discovered in LibSass through 3.5.5. A NULL pointer dereference was found in
the function Sass::Functions::selector_append which could be leveraged by an attacker to
cause a denial of service (application crash) or possibly have unspecified other impact.
86/109
Maven-org.apache.johnzon:johnzon-core-1.0.0
NEW | 502
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 1.0.0
Outdated: Yes
CWE: CWE-502
CVE: CVE-2023-33008
Description: In Apache Johnzon versions prior to 1.2.21, a malicious attacker can craft up some JSON input
that uses large numbers (numbers such as 1e20000000) that will deserialize into BigDecimal
and maybe use numbers too large which may result in a slow conversion (Denial of service
risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the
BigDecimal.
Maven-com.fasterxml.jackson.core:jackson-databind-2.12.6.1
NEW | 502
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.12.6.1
Outdated: Yes
CWE: CWE-502
CVE: CVE-2022-42004
Description: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack
of a check in "BeanDeserializer._deserializeFromArray" to prevent the use of deeply nested
arrays. An application is vulnerable only with certain customized choices for deserialization.
87/109
Maven-org.apache.sling:org.apache.sling.commons.json-2.0.16
NEW | 20
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.0.16
Outdated: Yes
CWE: CWE-20
CVE: CVE-2022-47937
Description: Improper input validation in the Apache Sling Commons JSON bundle allows an attacker to
trigger unexpected errors by supplying specially-crafted input. NOTE: This vulnerability only
affects products that are no longer supported by the maintainer. The
org.apache.sling.commons.json bundle has been deprecated as of March 2017 and should not
be used anymore. Consumers are encouraged to consider the Apache Sling Commons Johnzon
OSGi bundle provided by the Apache Sling project, but may, of course, use other JSON libraries.
Npm-node-sass-6.0.1
NEW | 787
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-787
CVE: CVE-2022-26592
Description: Stack Overflow vulnerability in libsass via the "CompoundSelector::has_real_parent_ref"
function.
88/109
Npm-scss-tokenizer-0.2.3
NEW | 1333
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:37 +0000 UTC

Version: 0.2.3
Outdated: Yes
CWE: CWE-1333
CVE: CVE-2022-25758
Description: All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service
(ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Maven-commons-beanutils:commons-beanutils-1.8.3
NEW | 20
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 1.8.3
Outdated: Yes
CWE: CWE-20
CVE: CVE-2014-0114
Description: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache
Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.3,
does not suppress the class property, which allows remote attackers to "manipulate" the
ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the
passing of this parameter to the getClass method of the ActionForm object in Struts 1.
89/109
Npm-node-sass-6.0.1
NEW | 416
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-416
CVE: CVE-2018-19827
Description: In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp
(or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have
unspecified other impact.
Npm-node-sass-6.0.1
NEW | 674
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-674
CVE: CVE-2017-12964
Description: There is a stack consumption issue in all versions of LibSass, that is triggered in the function
"Sass::Eval::operator()" in "eval.cpp". It will lead to a remote denial of service attack. This
issue also affects all versions of other packages that use the LibSass library, such as node-
sass, libsass-python, sassc, jsass.
90/109
Maven-xerces:xercesImpl-2.6.2
NEW | 399
State: To Verify
Status: NEW
First scan id: 7f40b727-3770-4e4f-a79b-2be797dff996
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.6.2
Outdated: Yes
CWE: CWE-399
CVE: CVE-2012-0881
Description: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service
(CPU consumption) via a crafted message to an XML service, which triggers hash table
collisions.
NEW | 400
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.6.2
Outdated: Yes
CWE: CWE-400
CVE: CVE-2013-4002
Description: XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime
Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1
SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier,
Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE
Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a
denial of service via vectors related to XML attribute names.
91/109
Npm-node-sass-6.0.1
NEW | 787
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-787
CVE: CVE-2022-43357
Description: Stack overflow vulnerability in "ast_selectors.cpp" in function
"Sass::CompoundSelector::has_real_parent_ref" in libsass, which attackers can exploit to
cause a Denial Of Service (DOS). It also affects the command line driver for libsass, sassc.
Npm-node-sass-6.0.1
NEW | 787
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-787
CVE: CVE-2022-43358
Description: Stack overflow vulnerability in ""ast_selectors.cpp" in function
"Sass::ComplexSelector::has_placeholder" in which can be exploited by attackers to cause a
Denial Of Service (DoS).
92/109
Maven-commons-collections:commons-collections-3.2.2
NEW | 674
State: To Verify
Status: NEW
First scan id: 0d80a05d-c05c-4209-ac99-b004722e2b4a
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 3.2.2
Outdated: Yes
CWE: CWE-674
CVE: Cx78f40514-81ff
Description: The framework Apache Commons Collections before 4.3 is vulnerable to Stack Overflow. The
function àdd()` in the file
`src/main/java/org/apache/commons/collections4/list/SetUniqueList.java` throws a
StackOverflowError when the àdd()` method is called with its own list. To resolve this issue -
upgrade to version 4.3. Please note: the package name was changed to
org.apache.commons:commons-collections4 on version 4.0.
Maven-com.fasterxml.jackson.core:jackson-databind-2.12.6.1
NEW | 502
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.12.6.1
Outdated: Yes
CWE: CWE-502
CVE: CVE-2022-42003
Description: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a
lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the
"UNWRAP_SINGLE_VALUE_ARRAYS" feature is enabled.
93/109
Npm-tough-cookie-2.5.0
NEW | 1321
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:37 +0000 UTC

Version: 2.5.0
Outdated: Yes
CWE: CWE-1321
CVE: CVE-2023-26136
Description: The package tough-cookie in versions prior to 4.1.3 are vulnerable to Prototype Pollution due
to improper handling of Cookies when using CookieJar in "rejectPublicSuffixes=false" mode.
This issue arises from the manner in which the objects are initialized.
Maven-org.apache.commons:commons-collections4-4.1
NEW | 674
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 4.1
Outdated: Yes
CWE: CWE-674
CVE: Cx78f40514-81ff
Description: The framework Apache Commons Collections before 4.3 is vulnerable to Stack Overflow. The
function àdd()` in the file
`src/main/java/org/apache/commons/collections4/list/SetUniqueList.java` throws a
StackOverflowError when the àdd()` method is called with its own list. To resolve this issue -
upgrade to version 4.3. Please note: the package name was changed to
org.apache.commons:commons-collections4 on version 4.0.
94/109
Npm-ansi-regex-2.1.1
NEW | 1333
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.1.1
Outdated: Yes
CWE: CWE-1333
CVE: CVE-2021-3807
Description: ansi-regex prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Regular Expression
Complexity
Npm-node-sass-6.0.1
NEW | 125
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 6.0.1
Outdated: Yes
CWE: CWE-125
CVE: CVE-2019-6284
Description: In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in
prelexer.hpp.
95/109
Maven-com.google.guava:guava-14.0.1
NEW | 770
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 14.0.1
Outdated: Yes
CWE: CWE-770
CVE: CVE-2018-10237
Description: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote
attackers to conduct denial of service attacks against servers that depend on this library and
deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with
Java serialization) and the CompoundOrdering class (when serialized with GWT serialization)
perform eager allocation without appropriate checks on what a client has sent and whether the
data size is reasonable.
NEW | 379
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 14.0.1
Outdated: Yes
CWE: CWE-379
CVE: CVE-2023-2976
Description: Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in
Google Guava versions 1.0 through 31.1-jre on Unix systems and Android Ice Cream Sandwich
allows other users and apps on the machine with access to the default Java temporary
directory to be able to access the files created by the class. Even though the security
vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0
breaks some functionality under Windows.
96/109
Maven-com.google.guava:guava-15.0
NEW | 379
State: To Verify
Status: NEW
First scan id: 20c14377-7c1a-4a50-ac7d-5630632221b0
Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 15.0
Outdated: Yes
CWE: CWE-379
CVE: CVE-2023-2976
Description: Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in
Google Guava versions 1.0 through 31.1-jre on Unix systems and Android Ice Cream Sandwich
allows other users and apps on the machine with access to the default Java temporary
directory to be able to access the files created by the class. Even though the security
vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0
breaks some functionality under Windows.
NEW | 770
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 15.0
Outdated: Yes
CWE: CWE-770
CVE: CVE-2018-10237
Description: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote
attackers to conduct denial of service attacks against servers that depend on this library and
deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with
Java serialization) and the CompoundOrdering class (when serialized with GWT serialization)
perform eager allocation without appropriate checks on what a client has sent and whether the
data size is reasonable.
97/109
Maven-commons-io:commons-io-2.4
NEW | 22
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.4
Outdated: Yes
CWE: CWE-22
CVE: CVE-2021-29425
Description: In Apache Commons IO from 2.2 up to 2.6, When invoking the method FileNameUtils.normalize
with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value,
thus possibly providing access to files in the parent directory, but not further above (thus
"limited" path traversal), if the calling code would use the result to construct a path value.
Maven-junit:junit-4.12
NEW | 732
State: To Verify
Status: NEW
First scan id: 0d80a05d-c05c-4209-ac99-b004722e2b4a
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 4.12
Outdated: Yes
CWE: CWE-732
CVE: CVE-2020-15250
Description: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local
information disclosure vulnerability. On Unix like systems, the system's temporary directory is
shared between all users on that system. Because of this, when files and directories are
written into this directory they are, by default, readable by other users on that same system.
This vulnerability does not allow other users to overwrite the contents of these directories or
files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the
JUnit tests write sensitive information, like API keys or passwords, into the temporary folder,
and the JUnit tests execute in an environment where the OS has other untrusted users.
Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent
upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is
fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the
workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the
`java.io.tmpdir` system environment variable to a directory that is exclusively owned by the
executing user will fix this vulnerability. For more information, including an example of
vulnerable code, see the referenced GitHub Security Advisory.
98/109
Maven-org.apache.sling:org.apache.sling.api-2.11.0
NEW | 116
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.11.0
Outdated: Yes
CWE: CWE-116
CVE: CVE-2022-32549
Description: Apache Sling Commons Log through 5.4.0, and Apache Sling API through 2.25.0 are vulnerable
to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake
logs and potentially corrupt log files.
Maven-org.apache.sling:org.apache.sling.i18n-2.4.4
NEW | 269
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.4.4
Outdated: Yes
CWE: CWE-269
CVE: CVE-2023-25621
Description: Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content
author is able to create i18n dictionaries in the repository in a location the author has write
access to. As these translations are used across the whole product, it allows an author to
change any text or dialog in the product. For example an attacker might fool someone by
changing the text on a delete button to "Info". This issue affects the i18n module of Apache
Sling versions prior to 2.6.2. Version 2.6.2 and higher limit by default i18m dictionaries to
certain paths in the repository (/libs and /apps). Users of the module are advised to check the
configuration for resource loading and then adjust the access permissions for the configured
path accordingly.
99/109
Maven-org.jsoup:jsoup-1.14.2
NEW | 79
State: To Verify
Status: NEW
First scan id: c6624455-f2dd-4674-b910-49fa823c04bf

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 1.14.2
Outdated: Yes
CWE: CWE-79
CVE: CVE-2022-36033
Description: jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting
(XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions,
which could allow XSS attacks when a reader subsequently clicks that link. If the non-default
`SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that
have been crafted with control characters will not be sanitized. If the site that this HTML is
published on does not set a Content Security Policy, an XSS attack is then possible. This issue
affects versions before 1.15.3.
NEW | 400
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.6.2
Outdated: Yes
CWE: CWE-400
CVE: CVE-2018-2799
Description: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE
(subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and
10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to compromise Java SE,
Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit.
Note: Applies to client and server deployment of Java. This vulnerability can be exploited
through sandboxed Java Web Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component without using sandboxed Java
Web Start applications or sandboxed Java applets, such as through a web service.
100/109
NEW | 20
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.6.2
Outdated: Yes
CWE: CWE-20
CVE: CVE-2020-14338
Description: A flaw was found in Xerces, specifically in the way the XMLSchemaValidator class. This flaw
allows a specially-crafted XML file to manipulate the validation process in certain cases. This
issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code.
This flaw is fixed in versions jboss-2.11.0.SP6 and 2.12.0.SP3 that are available on GitHub.
NEW | 264
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.6.2
Outdated: Yes
CWE: CWE-264
CVE: CVE-2009-2625
Description: XMLScanner.java in Apache Xerces2 Java versions prior to 2.10.0, as used in Sun Java
Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before
Update 20, and in other products, allows remote attackers to cause a denial of service (infinite
loop and application hang) via malformed XML input, as demonstrated by the Codenomicon
XML fuzzing framework.
101/109
NEW | 400
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.6.2
Outdated: Yes
CWE: CWE-400
CVE: CVE-2017-10355
Description: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE
(subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151,
8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability
allows unauthenticated attacker with network access via multiple protocols to compromise
Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE
Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in
the specified Component without using sandboxed Java Web Start applications or sandboxed
Java applets, such as through a web service.
NEW | 91
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 2.6.2
Outdated: Yes
CWE: CWE-91
CVE: CVE-2022-23437
Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling
specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an
infinite loop, which may sometimes consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1 and the previous versions.
102/109
Npm-node-sass-6.0.1
NEW | 674
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-674
CVE: CVE-2019-18797
Description: LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*)

in eval.cpp.
Npm-node-sass-6.0.1
NEW | 476
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-476
CVE: CVE-2018-19797
Description: In LibSass 3.5.5, a NULL Pointer Dereference in the function
Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and
ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input
file.
103/109
Npm-node-sass-6.0.1
NEW | 295
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-295
CVE: CVE-2020-24025
Description: Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if
the user is not specifying an alternative download path.
Npm-node-sass-6.0.1
NEW | 476
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-476
CVE: CVE-2018-20190
Description: In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()
(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a
crafted sass input file.
104/109
Npm-node-sass-6.0.1
NEW | 125
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-125
CVE: CVE-2019-18798
Description: LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::weaveParents in

ast_sel_weave.cpp.
Npm-node-sass-6.0.1
NEW | 674
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-674
CVE: CVE-2018-20821
Description: The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service
(uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
105/109
Npm-node-sass-6.0.1
NEW | 125
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-125
CVE: CVE-2019-6286
Description: In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in

prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-
11693.
Maven-com.adobe.cq:core.wcm.components.core-2.11.0
NEW | 79
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:35 +0000 UTC
Version: 2.11.0
Outdated: Yes
CWE: CWE-79
CVE: CVE-2022-35697
Description: Adobe Experience Manager Core Components version 2.20.6 (and earlier) is affected by a
reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to
visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within
the context of the victim's browser. Exploitation of this issue requires a low author privilege
access.
106/109
Npm-node-sass-6.0.1
NEW | 125
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 6.0.1
Outdated: Yes
CWE: CWE-125
CVE: CVE-2019-6283
Description: In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in

prelexer.hpp.
Npm-postcss-7.0.39
NEW | 74
State: To Verify
Status: NEW

Found date: 2023-10-24 16:40:36 +0000 UTC
Version: 7.0.39
Outdated: Yes
CWE: CWE-74
CVE: CVE-2023-44270
Description: An issue was discovered in postcss versions prior to 8.4.31. The vulnerability affects linters
using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way
that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS,
it will be included in the PostCSS output in CSS nodes (rules, properties) despite being
included in a comment.
107/109
Npm-request-2.88.2
NEW | 918
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:36 +0000 UTC

Version: 2.88.2
Outdated: No
CWE: CWE-918
CVE: CVE-2023-28155
Description: The request package for "Node.js" allows a bypass of Server Side Request Forgery (SSRF)
mitigations via an attacker-controller server that does a Cross-Protocol Redirect (HTTP to
HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer
supported by the maintainer.
Maven-commons-codec:commons-codec-1.11
NEW | 200
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 1.11
Outdated: Yes
CWE: CWE-200
CVE: Cxeb68d52e-5509
Description: Apache commons-codec before 1.13 is vulnerable to information exposure. The Base32 and
Base64 implementation blindly decode invalid string, which can be re-encoded again using the
same implementation. This can result in a security exploitation such as tunneling additional
information via seemingly valid base 32 strings.
108/109
NEW | 732
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 14.0.1
Outdated: Yes
CWE: CWE-732
CVE: CVE-2020-8908
Description: A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an
attacker with access to the machine to potentially access data in a temporary directory created
by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the
directory created default to the standard unix-like /tmp ones, leaving the files open. We
recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to
explicitly change the permissions after the creation of the directory if neither are possible.
NEW | 732
State: To Verify
Status: NEW
Found date: 2023-10-24 16:40:35 +0000 UTC

Version: 15.0
Outdated: Yes
CWE: CWE-732
CVE: CVE-2020-8908
Description: A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an
attacker with access to the machine to potentially access data in a temporary directory created
by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the
directory created default to the standard unix-like /tmp ones, leaving the files open. We
recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to
explicitly change the permissions after the creation of the directory if neither are possible.
109/109

CxScanReport 2023-11-01 001554

Uploaded by

Copyright:

Available Formats

CxScanReport 2023-11-01 001554

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CxScanReport 2023-11-01 001554

Uploaded by

Copyright:

Available Formats

Carelon-policy

Code Security Report

Total Vulnerabilities High Med Low Info

Vulnerabilities per Scanner

Branch name: AEM-Carelon-Sites

Scanners: SAST, SCA

Result triage: SAST:

Scan ID: 083ead84-8361-402a-ad51-25edadf09e6b

Languages: JavaScript, Java, JavaScript

Scanner types: SAST, SCA

APSC-DV-001620 - CAT II The application must implement replay-resistant

APSC-DV-002330 - CAT II The application must protect the confidentiality and

APSC-DV-002510 - CAT I The application must protect from command injection. 3 - -

APSC-DV-002530 - CAT II The application must validate all input. - - 1

APSC-DV-002560 - CAT I The application must not be subject to input handling

Identification And Authentication - - 5

System And Communications Protection - - 2

System And Information Integrity - - 39

MOIS(KISA) Code error - - 1

MOIS(KISA) Security Functions - - 7

MOIS(KISA) Verification and representation of input data 3 1 31

AC-3 Access Enforcement (P1) - - 6

AU-9 Protection of Audit Information (P1) - - 2

SC-18 Mobile Code (P2) - - 5

SC-5 Denial of Service Protection (P1) - - 1

SC-8 Transmission Confidentiality and Integrity (P1) - - 2

SI-10 Information Input Validation (P1) 3 1 37

V01 Architecture, Design and Threat Modeling - - 37

V03 Session Management - - 2

V04 Access Control - - 6

V05 Validation, Sanitization and Encoding 3 1 31

V07 Error Handling and Logging - - 2

M7-Client Code Quality - - 2

A10-Unvalidated Redirects and Forwards - - 26

A10-Unvalidated Redirects and Forwards - - 26

A6-Sensitive Data Exposure - - 1

A9-Using Components with Known Vulnerabilities - - 37

A3-Sensitive Data Exposure - - 1

A9-Using Components with Known Vulnerabilities - - 37

A1-Broken Access Control - - 31

A6-Vulnerable and Outdated Components - - 37

A7-Identification and Authentication Failures - 1 2

A8-Software and Data Integrity Failures - - 5

A9-Security Logging and Monitoring Failures - - 2

PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management - - 1

PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 3 1 2

Query Path: JavaScript/JavaScript_High_Risk/Client_DOM_Code_Injection

State: Not Exploitable

Found date: 2023-10-24 16:39:42 +0000 UTC

Source element: href

Source method: Lambda

Destination file: /carelon-sites/fe-clientlibs/src/serveco/components/explore-solution/explore-solution.js

Destination line: 646

State: Not Exploitable

First scan id: 5fdd860e-b6a7-4340-9cd0-726712cd687d

First found date: 2023-10-24 16:39:26 +0000 UTC

Source method: explorepaginationNavHandler

Destination element: attr

Destination line: 683