Scribd Logo
Upload

Welcome to Scribd!

  • 64 views

    CxScanReport 2023-12-15 122632

    Uploaded by

    Gnana Sekhar
    The security scan found 21 total vulnerabilities, with 5 high risks, 16 medium risks, and no low or informational risks. The majority of vulnerabilities (14) were found by the SAST scanner, while the SCA scanner found 4 vulnerabilities. The highest risk vulnerabilities include potential for cross-site scripting (XSS) and lack of input validation, with some vulnerabilities recurring in multiple locations in the codebase.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    CxScanReport 2023-12-15 122632

    Uploaded by

    Gnana Sekhar
    64 views30 pages
    The security scan found 21 total vulnerabilities, with 5 high risks, 16 medium risks, and no low or informational risks. The majority of vulnerabilities (14) were found by the SAST scanner, while the SCA scanner found 4 vulnerabilities. The highest risk vulnerabilities include potential for cross-site scripting (XSS) and lack of input validation, with some vulnerabilities recurring in multiple locations in the codebase.

    Original Title

    CxScanReport_2023-12-15_122632

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The security scan found 21 total vulnerabilities, with 5 high risks, 16 medium risks, and no low or informational risks. The majority of vulnerabilities (14) were found by the SAST scanner, while the SCA scanner found 4 vulnerabilities. The highest risk vulnerabilities include potential for cross-site scripting (XSS) and lack of input validation, with some vulnerabilities recurring in multiple locations in the codebase.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    64 views30 pages

    CxScanReport 2023-12-15 122632

    Uploaded by

    Gnana Sekhar
    The security scan found 21 total vulnerabilities, with 5 high risks, 16 medium risks, and no low or informational risks. The majority of vulnerabilities (14) were found by the SAST scanner, while the SCA scanner found 4 vulnerabilities. The highest risk vulnerabilities include potential for cross-site scripting (XSS) and lack of input validation, with some vulnerabilities recurring in multiple locations in the codebase.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 30

    reports.

    app
    Code Security Report

    7852ebaf-7acf-4aa6-9800-6e7faa3d0457 | 2023-12-15T12:26:30.447Z

    1/30
    Table of Contents

    Executive Summary

    Scan Summary

    Scan Results

    SAST

    SCA

    IaC Security

    2/30
    Executive Summary

    Total Vulnerabilities High Med Low Info

    21 5 16 00

    Vulnerabilities per Scanner

    40

    30

    20

    14

    10

    4
    2
    1
    0 0 0 0
    0
    SAST SCA

    Scan Information

    Project name: reports.app


    Scanners: SAST, SCA

    Risk level: High

    Result triage: SAST:


    Confirmed 0%
    Not Exploitable 0%
    Proposed Not Exploitable 0%
    To Verify 100%
    Urgent 0%
    SCA:
    Confirmed 0%
    Not Exploitable 0%
    Proposed Not Exploitable 0%
    To Verify 100%
    Urgent 0%

    3/30
    Scan Summary

    Scan ID: c7c8d627-a02e-43bd-b6a4-79bc51407439

    Languages: csharp

    Number of scanners: 2
    Completed date: 2023-12-15 11:58:53.89675 +0000 UTC

    Scanner types: SAST, SCA

    4/30
    ASD STIG 4.10
    Category

    APSC-DV-002330 - CAT II The application must protect the confidentiality and


    - 12 -
    integrity of stored information when required by DoD policy or the information owner.

    APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS)
    4 - -
    vulnerabilities.

    5/30
    CWE top 25
    Category

    CWE top 25 4 13 -

    6/30
    FISMA 2014
    Category

    Identification And Authentication - 12 -

    System And Information Integrity 4 - -

    7/30
    MOIS(KISA) Secure Coding 2021
    Category

    MOIS(KISA) Security Functions - 12 -

    MOIS(KISA) Verification and representation of input data 4 1 -

    8/30
    NIST SP 800-53
    Category

    SC-4 Information in Shared Resources (P1) - 12 -

    SI-15 Information Output Filtering (P0) 4 - -

    9/30
    OWASP ASVS
    Category

    V05 Validation, Sanitization and Encoding 4 - -

    V10 Malicious Code - 12 -

    V12 Files and Resources - 1 -

    V14 Configuration - 1 -

    10/30
    OWASP Top 10 2013
    Category

    A3-Cross-Site Scripting (XSS) 4 - -

    A4-Insecure Direct Object References - 1 -

    A6-Sensitive Data Exposure - 12 -

    11/30
    OWASP Top 10 2017
    Category

    A3-Sensitive Data Exposure - 12 -

    A5-Broken Access Control - 1 -

    A7-Cross-Site Scripting (XSS) 4 - -

    12/30
    OWASP Top 10 2021
    Category

    A1-Broken Access Control - 13 -

    A3-Injection 4 - -

    A7-Identification and Authentication Failures - 1 -

    13/30
    PCI DSS v3.2.1
    Category

    PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection - 12 -

    PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS) 4 - -

    PCI DSS (3.2.1) - 6.5.8 - Improper access control - 1 -

    14/30
    SANS top 25
    Category

    SANS top 25 4 13 -

    15/30
    Scan Results

    SAST

    18 4 14 00

    csharp

    Reflected_XSS_All_Clients

    Description: The method @DestinationMethod embeds untrusted data in generated output with @DestinationElement, at line
    @DestinationLine of @DestinationFile. This untrusted data is embedded into the output without proper
    sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page. The attacker
    would be able to alter the returned web page by simply providing modified data in the user input @SourceElement,
    which is read by the @SourceMethod method at line @SourceLine of @SourceFile. This input then flows through
    the code straight to the output web page, without sanitization. This can enable a Reflected Cross-Site Scripting
    (XSS) attack.

    Query Path: CSharp/CSharp_High_Risk/Reflected_XSS_All_Clients

    Total Flows: 3

    RECURRENT

    State: To Verify
    Status: RECURRENT

    Group name: CSharp_High_Risk


    First scan id: 0d57f9ed-43ff-47d9-941b-e40a32efc0e4
    Found date: 2023-12-15 11:58:41 +0000 UTC

    First found date: 2023-12-13 07:52:49 +0000 UTC


    Source element: reportData

    Source file: /reports.app/Controllers/ExportController.cs


    Source method: ExportToPDF
    Source line: 61

    Destination element: Text


    Destination file: /reports.app/Reports/JointDataSheetReport.cs

    Destination method: JointDataSheetReportControlsTextBinding


    Destination line: 69

    Compliances: OWASP ASVS, PCI DSS v3.2.1, CWE top 25, SANS top 25, MOIS(KISA) Secure Coding 2021,
    OWASP Top 10 2013, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10 2021, ASD STIG
    4.10, FISMA 2014

    CWE: CWE-79

    16/30
    RECURRENT

    State: To Verify
    Status: RECURRENT

    Group name: CSharp_High_Risk


    First scan id: 0d57f9ed-43ff-47d9-941b-e40a32efc0e4

    Found date: 2023-12-15 11:58:41 +0000 UTC


    First found date: 2023-12-13 07:52:49 +0000 UTC

    Source element: reportData


    Source file: /reports.app/Controllers/ExportController.cs
    Source method: ExportToPDF

    Source line: 61
    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportControlsTextBinding
    Destination line: 59

    Compliances: OWASP ASVS, PCI DSS v3.2.1, CWE top 25, SANS top 25, MOIS(KISA) Secure Coding 2021,
    OWASP Top 10 2013, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10 2021, ASD STIG
    4.10, FISMA 2014
    CWE: CWE-79

    RECURRENT

    State: To Verify
    Status: RECURRENT

    Group name: CSharp_High_Risk


    First scan id: 0d57f9ed-43ff-47d9-941b-e40a32efc0e4
    Found date: 2023-12-15 11:58:41 +0000 UTC

    First found date: 2023-12-13 07:52:49 +0000 UTC


    Source element: reportData

    Source file: /reports.app/Controllers/ExportController.cs


    Source method: ExportToPDF

    Source line: 61
    Destination element: Text
    Destination file: /reports.app/Reports/JointDataSheetReport.cs

    Destination method: JointDataSheetReportControlsTextBinding


    Destination line: 54

    Compliances: OWASP ASVS, PCI DSS v3.2.1, CWE top 25, SANS top 25, MOIS(KISA) Secure Coding 2021,
    OWASP Top 10 2013, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10 2021, ASD STIG
    4.10, FISMA 2014

    CWE: CWE-79

    17/30
    Stored_XSS

    Description: The method @DestinationMethod embeds untrusted data in generated output with @DestinationElement, at line
    @DestinationLine of @DestinationFile. This untrusted data is embedded into the output without proper
    sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page. The attacker
    would be able to alter the returned web page by saving malicious data in a data-store ahead of time. The
    attacker's modified data is then read from the database by the @SourceMethod method with @SourceElement, at
    line @SourceLine of @SourceFile. This untrusted data then flows through the code straight to the output web
    page, without sanitization. This can enable a Stored Cross-Site Scripting (XSS) attack.

    Query Path: CSharp/CSharp_High_Risk/Stored_XSS

    Total Flows: 1

    RECURRENT

    State: To Verify

    Status: RECURRENT
    Group name: CSharp_High_Risk

    First scan id: 4cf5c530-a6e2-449a-8c2e-eccb8e056763


    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-13 07:52:49 +0000 UTC

    Source element: ReadAllText


    Source file: /reports.app/Reports/TestReport.cs

    Source method: TestReport


    Source line: 21

    Destination element: Text


    Destination file: /reports.app/Reports/TestReport.cs
    Destination method: TestReport

    Destination line: 22
    Compliances: NIST SP 800-53, SANS top 25, MOIS(KISA) Secure Coding 2021, ASD STIG 4.10, OWASP Top
    10 2017, CWE top 25, OWASP ASVS, FISMA 2014, OWASP Top 10 2021, PCI DSS v3.2.1,
    OWASP Top 10 2013
    CWE: CWE-79

    18/30
    Privacy_Violation

    Description: Method @SourceMethod at line @SourceLine of @SourceFile sends user information outside the application. This
    may constitute a Privacy Violation.

    Query Path: CSharp/CSharp_Medium_Threat/Privacy_Violation

    Total Flows: 12

    NEW

    State: To Verify
    Status: NEW
    Group name: CSharp_Medium_Threat

    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd


    Found date: 2023-12-15 11:58:41 +0000 UTC

    First found date: 2023-12-15 11:58:40 +0000 UTC


    Source element: pass4Percentage
    Source file: /reports.app/Reports/JointDataSheetReport.cs

    Source method: JointDataSheetReportDataBinding


    Source line: 475

    Destination element: Text


    Destination file: /reports.app/Reports/JointDataSheetReport.cs

    Destination method: JointDataSheetReportDataBinding


    Destination line: 475
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1

    CWE: CWE-359

    19/30
    NEW

    State: To Verify

    Status: NEW
    Group name: CSharp_Medium_Threat
    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd

    Found date: 2023-12-15 11:58:41 +0000 UTC


    First found date: 2023-12-15 11:58:40 +0000 UTC

    Source element: pass3Percentage


    Source file: /reports.app/Reports/JointDataSheetReport.cs

    Source method: JointDataSheetReportDataBinding


    Source line: 474
    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportDataBinding

    Destination line: 474


    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd

    Found date: 2023-12-15 11:58:41 +0000 UTC


    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass2Percentage

    Source file: /reports.app/Reports/JointDataSheetReport.cs


    Source method: JointDataSheetReportDataBinding

    Source line: 473


    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportDataBinding
    Destination line: 473

    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    20/30
    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd

    Found date: 2023-12-15 11:58:41 +0000 UTC


    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass1Percentage

    Source file: /reports.app/Reports/JointDataSheetReport.cs


    Source method: JointDataSheetReportDataBinding

    Source line: 472


    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportDataBinding
    Destination line: 472

    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd
    Found date: 2023-12-15 11:58:41 +0000 UTC

    First found date: 2023-12-15 11:58:40 +0000 UTC

    Source element: pass4Metric


    Source file: /reports.app/Reports/JointDataSheetReport.cs
    Source method: JointDataSheetReportDataBinding
    Source line: 449
    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportDataBinding
    Destination line: 449
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    21/30
    NEW

    State: To Verify

    Status: NEW
    Group name: CSharp_Medium_Threat
    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd
    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC

    Source element: pass4Imperial


    Source file: /reports.app/Reports/JointDataSheetReport.cs
    Source method: JointDataSheetReportDataBinding
    Source line: 448
    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportDataBinding
    Destination line: 448
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd
    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass3Metric

    Source file: /reports.app/Reports/JointDataSheetReport.cs


    Source method: JointDataSheetReportDataBinding
    Source line: 447
    Destination element: Text

    Destination file: /reports.app/Reports/JointDataSheetReport.cs


    Destination method: JointDataSheetReportDataBinding
    Destination line: 447
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    22/30
    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd
    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass3Imperial

    Source file: /reports.app/Reports/JointDataSheetReport.cs


    Source method: JointDataSheetReportDataBinding
    Source line: 446
    Destination element: Text
    Destination file: /reports.app/Reports/JointDataSheetReport.cs

    Destination method: JointDataSheetReportDataBinding


    Destination line: 446
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd
    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass2Metric

    Source file: /reports.app/Reports/JointDataSheetReport.cs


    Source method: JointDataSheetReportDataBinding
    Source line: 445
    Destination element: Text
    Destination file: /reports.app/Reports/JointDataSheetReport.cs

    Destination method: JointDataSheetReportDataBinding


    Destination line: 445
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    23/30
    NEW

    State: To Verify
    Status: NEW

    Group name: CSharp_Medium_Threat


    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd
    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass2Imperial

    Source file: /reports.app/Reports/JointDataSheetReport.cs


    Source method: JointDataSheetReportDataBinding
    Source line: 444
    Destination element: Text
    Destination file: /reports.app/Reports/JointDataSheetReport.cs

    Destination method: JointDataSheetReportDataBinding


    Destination line: 444
    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    NEW

    State: To Verify
    Status: NEW
    Group name: CSharp_Medium_Threat

    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd


    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass1Metric
    Source file: /reports.app/Reports/JointDataSheetReport.cs

    Source method: JointDataSheetReportDataBinding


    Source line: 443
    Destination element: Text
    Destination file: /reports.app/Reports/JointDataSheetReport.cs
    Destination method: JointDataSheetReportDataBinding

    Destination line: 443


    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    24/30
    NEW

    State: To Verify
    Status: NEW
    Group name: CSharp_Medium_Threat

    First scan id: 6cf32dad-b9e8-4264-9477-26fb6ab0b0cd


    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-15 11:58:40 +0000 UTC
    Source element: pass1Imperial
    Source file: /reports.app/Reports/JointDataSheetReport.cs

    Source method: JointDataSheetReportDataBinding


    Source line: 442
    Destination element: Text
    Destination file: /reports.app/Reports/JointDataSheetReport.cs
    Destination method: JointDataSheetReportDataBinding

    Destination line: 442


    Compliances: OWASP Top 10 2013, ASD STIG 4.10, SANS top 25, CWE top 25, OWASP ASVS, FISMA 2014,
    MOIS(KISA) Secure Coding 2021, NIST SP 800-53, OWASP Top 10 2017, OWASP Top 10
    2021, PCI DSS v3.2.1
    CWE: CWE-359

    25/30
    Path_Traversal

    Description: Method @SourceMethod at line @SourceLine of @SourceFile gets dynamic data from the @SourceElement
    element. This element’s value then flows through the code and is eventually used in a file path for local disk
    access in @DestinationMethod at line @DestinationLine of @DestinationFile. This may cause a Path Traversal
    vulnerability.

    Query Path: CSharp/CSharp_Medium_Threat/Path_Traversal

    Total Flows: 1

    RECURRENT

    State: To Verify
    Status: RECURRENT
    Group name: CSharp_Medium_Threat
    First scan id: 0d57f9ed-43ff-47d9-941b-e40a32efc0e4

    Found date: 2023-12-15 11:58:41 +0000 UTC


    First found date: 2023-12-13 07:52:49 +0000 UTC
    Source element: reportData
    Source file: /reports.app/Controllers/ExportController.cs
    Source method: ExportToPDF

    Source line: 61
    Destination element: ReadAllText
    Destination file: /reports.app/Helpers/Common/PrepareJsonObject.cs
    Destination method: GetjsonObject
    Destination line: 14

    Compliances: OWASP Top 10 2017, OWASP Top 10 2021, PCI DSS v3.2.1, SANS top 25, CWE top 25,
    MOIS(KISA) Secure Coding 2021, OWASP ASVS, OWASP Top 10 2013
    CWE: CWE-22

    26/30
    Missing_HSTS_Header

    Description: The web-application does not define an HSTS header, leaving it vulnerable to attack.

    Query Path: CSharp/CSharp_Medium_Threat/Missing_HSTS_Header

    Total Flows: 1

    RECURRENT

    State: To Verify
    Status: RECURRENT

    Group name: CSharp_Medium_Threat


    First scan id: 89cca8f9-e8dd-4fdd-87b5-2493e58268d6
    Found date: 2023-12-15 11:58:41 +0000 UTC
    First found date: 2023-12-13 07:52:49 +0000 UTC

    Source element: UseHsts


    Source file: /reports.app/Startup.cs
    Source method: Configure
    Source line: 86
    Compliances: OWASP Top 10 2021, OWASP ASVS

    CWE: CWE-346

    27/30
    SCA

    3 1 2 00

    Vulnerable packages (3)

    Nuget-System.Security.Cryptography.Pkcs-6.0.3

    RECURRENT | 400

    State: To Verify

    Status: RECURRENT
    First scan id: 4cf5c530-a6e2-449a-8c2e-eccb8e056763
    Found date: 2023-12-15 11:52:38 +0000 UTC
    First found date: 2023-11-22 07:00:48 +0000 UTC
    Version: 6.0.3

    Outdated: Yes
    CWE: CWE-400
    CVE: CVE-2023-29331
    Description: The .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability in versions 6.0.0
    prior to 6.0.18, and 7.0.x prior to 7.0.7. In Microsoft.Windows.Compatibility versions 6.0.x
    prior to 6.0.6, and 7.0.x prior to 7.0.3. In System.Security.Cryptography.Pkcs versions 6.0.x
    prior to 6.0.3 and 7.0.x prior to 7.0.2.

    Npm-jquery-3.5.1

    RECURRENT | 200

    State: To Verify
    Status: RECURRENT
    First scan id: a0b025ec-c2c4-4744-a0a9-5d723d7ae21d
    Found date: 2023-12-15 11:52:38 +0000 UTC
    First found date: 2023-03-13 12:56:32 +0000 UTC

    Version: 3.5.1
    Outdated: Yes
    CWE: CWE-200
    CVE: CVE-2007-2379
    Description: The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an
    associated protection scheme, which allows remote attackers to obtain the data via a web
    page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and
    captures the data using other JavaScript code, aka "JavaScript Hijacking." The package
    maintainer disputes the validity of this vulnerability since it's expected language behavior. If
    JSONP is used in a browser, the vulnerability is not exploitable, but it's up to the consumer
    application to use protective measures and not up to jQuery to fix it.

    28/30
    Npm-jquery-3.5.1

    RECURRENT | 79

    State: To Verify
    Status: RECURRENT
    First scan id: a0b025ec-c2c4-4744-a0a9-5d723d7ae21d

    Found date: 2023-12-15 11:52:38 +0000 UTC


    First found date: 2023-03-13 12:56:32 +0000 UTC
    Version: 3.5.1
    Outdated: Yes
    CWE: CWE-79

    CVE: CVE-2014-6071
    Description: jQuery can potentially allow remote attackers to conduct Cross-site Scripting (XSS) attacks
    when using methods such as "jQuery()", "append()" and "after()". These methods accept an
    HTML string and can, by design, execute code. This vulnerability can be avoided by sanitizing
    inputs such as URL query parameters, cookies, or form inputs when obtained from untrusted
    sources. This issue wasn't fixed because it's considered to be present by design and it was
    documented for users to be careful when passing user input to specific functions. This security
    issue exists in all JQuery versions.

    29/30
    IaC Security

    0 0 0 00

    30/30

    You might also like