Content

Overview

Date	2022-09-14
Status	FIXED
Release	Release 2022-04
TestType	automatic
TestTopic	Penetration Test
Project	Project: Security 2022
Tester	SecurityOne
Standard	Background: Open Web Application Security Project (OWASP)

We don't have a way to export this macro.

A01	YES	OWASP A01:2021 – Broken Access Control
A02	NO	OWASP A02:2021 – Cryptographic Failures
A03	NO	OWASP A03:2021 – Injection
A04	YES	OWASP A04:2021 – Insecure Design
A05	YES	OWASP A05:2021 – Security Misconfiguration
A06	NO	OWASP A06:2021 – Vulnerable and Outdated Components
A07	NO	OWASP A07:2021 – Identification and Authentication Failures
A08	NO	OWASP A08:2021 – Software and Data Integrity Failures
A09	NO	OWASP A09:2021 – Security Logging and Monitoring Failures
A10	NO	OWASP A10:2021 – Server-Side Request Forgery (SSRF)

Vulnerability	Risk	Impact	Status
Broken Authorization	High	This allows a low privilege attacker to perform actions that a higher privilege user would normally have access to.	🧑‍🏭
Default Passwords Hardcoded	Low	In a default implementation of an openIMIS environment, an attacker with access with these passwords can potentially access confidential information.
GraphQL introspection enabled	Low	An attacker can map out the API’s schema and gather information related to its configuration. This could lead to further attacks and potential loss of sensitive information.	⛔
Cookie Without SECURE flag	Low	To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.	⛔

All errors were fixed ( ) or rejected as not applicable (⛔ ). No instances in countries were affected.

Error rendering macro 'viewpdf' : Failed to find attachment with Name openIMIS - External Penetration Test Report-1.pdf