Result Summary
Vulnerabilities
OWASP Top 10
A01 | NO | |
---|---|---|
A02 | NO | |
A03 | YES | |
A04 | NO | |
A05 | WARNING | |
A06 | YES | |
A07 | NO | |
A08 | NO | |
A09 | NAP | |
A10 | NO |
Detailed Results
Vulnerability | Risk | Component | Impact | Status |
---|---|---|---|---|
Multiple outdated dependencies in frontend Dockerfile | Critical | npm node:16 base image | The base image should be upgraded to node:16.17.0-bullseye-slim |
|
Multiple outdated dependencies in backend Dockerfile | Critical | python:3.8-buster | The base image should be upgraded to python:3.9.13-slim |
|
Multiple outdated dependencies in requirements.txt | Critical | pyjwt@1.7.0 | The following modules/libraries should be upgraded to: |
|
Multiple outdated dependencies in package.json | High | react-scripts@4.0.3 | The following modules/libraries should be upgraded to react-scripts@5.0.0 |
|
Password Stored as Environment Variable in plaintext | High | DB_Password | Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems) |
|
Cross-Site Request Forgery (CSRF) | Medium | openimis-fe_js/server.js | Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections | 🧑🏭 |
Command Injection | Medium | openimis-fe_js/dev_tools/installModuleLocally.js | Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command. | 🧑🏭 |
Information Exposure | Medium | openimis-fe_js/server.js | Consider using the Helmet middleware that disables the X-Powered-By header | 🧑🏭 |
Allocation of Resources Without Limits or Throttling | Medium | openimis-fe_js/server.js | Consider using a rate-limiting middleware such as express-limit | 🧑🏭 |
Remediation
All critical and high risk errors were fixed immedeatly ( ). Lower risk errors were adressed in the issue queue (🧑🏭 ). No instances in countries were affected.
Report