ckalpakoglu
commented
1 year ago The issue has been closed by Kondukto since it is marked as won't fix.
Closed ckalpakoglu closed 1 year ago
ckalpakoglu
commented
1 year ago The issue has been closed by Kondukto since it is marked as won't fix.
Due Date: 2023-01-10
A critical severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 74
Cwe Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)
Cwe Link: https://cwe.mitre.org/data/definitions/74.html
File: package-lock.json
Packages:
References:
Training(Secure Code Warrior):
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection
Videos:
Name: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Description: When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as “splitting” the stream into two different HTTP messages instead of one. CR is carriage return, also given by %0d or \r, and LF is line feed, also given by %0a or \n. In addition to CR and LF characters, other valid/RFC compliant special characters and unique character encodings can be utilized, such as HT (horizontal tab, also given by %09 or \t) and SP (space, also given as + sign or %20). These types of unvalidated and unexpected data in HTTP message headers allow an attacker to control the second "split" message to mount attacks such as server-side request forgery, cross-site scripting, and cache poisoning attacks.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection/http
Videos:
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection
Videos:
Name: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
Description: Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/misconfig
Videos:
Tool Description: ### Summary
ejs template injection vulnerability
Fixed Patch
3.1.7
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5830d80344746b537 Deeplink: https://github.com/advisories/GHSA-phwq-j96m-2c2q