Custodela / Riches

0 stars 3 forks source link

CX CGI_Stored_XSS @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/model/ProfileService.java [master] #87

Closed kmcdon83 closed 5 years ago

kmcdon83 commented 5 years ago

CGI_Stored_XSS issue exists @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/model/ProfileService.java in branch master

Unvalidated DB output was found in line number 192 in riches\WEB-INF\src\java\com\checkmarx\samples\riches\model\ProfileService.java file. A possible XSS exploitation was found in println at line number 109.

Severity: Medium CWE:79 Vulnerability details and guidance Internal Guidance Lines: 178 198 199


Code (Line #178):

            return session.find("SELECT profile.email FROM Profile profile");

Code (Line #198):

            Criteria criteria = session.createCriteria(Profile.class);

Code (Line #199):

            criteria.add(Expression.eq("email", email));

kmcdon83 commented 5 years ago

Issue still exists.

kmcdon83 commented 5 years ago

Issue still exists.