Result Summary
Vulnerabilities
Page Properties | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
OWASP Top 10
A01 |
| |||||||
---|---|---|---|---|---|---|---|---|
A02 |
| |||||||
A03 |
| |||||||
A04 |
| |||||||
A05 |
| |||||||
A06 |
| |||||||
A07 |
| |||||||
A08 |
| |||||||
A09 |
| |||||||
A10 |
|
Detailed Results
Vulnerability | Risk | Component | Impact | Status |
---|---|---|---|---|
Multiple outdated dependencies in frontend Dockerfile | Critical | npm node:16 base image | The base image should be upgraded to node:16.17.0-bullseye-slim |
|
Multiple outdated dependencies in backend Dockerfile | Critical | python:3.8-buster | The base image should be upgraded to python:3.9.13-slim |
|
Multiple outdated dependencies in requirements.txt | Critical | pyjwt@1.7.0 | The following modules/libraries should be upgraded to: |
|
Multiple outdated dependencies in package.json | High | react-scripts@4.0.3 | The following modules/libraries should be upgraded to react-scripts@5.0.0 |
|
Password Stored as Environment Variable in plaintext | High | DB_Password | Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems) |
|
Cross-Site Request Forgery (CSRF) | Medium | openimis-fe_js/server.js | Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections | 🧑🏭 |
Command Injection | Medium | openimis-fe_js/dev_tools/installModuleLocally.js | Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command. | 🧑🏭 |
Information Exposure | Medium | openimis-fe_js/server.js | Consider using the Helmet middleware that disables the X-Powered-By header | 🧑🏭 |
Allocation of Resources Without Limits or Throttling | Medium | openimis-fe_js/server.js | Consider using a rate-limiting middleware such as express-limit | 🧑🏭 |
Remediation
All critical and high risk errors were fixed immedeatly ( ). Lower risk errors were adressed in the issue queue (🧑🏭 ). No instances in countries were affected.
Report
View file | ||
---|---|---|
|
|