search

hugh-mend / juice-shop

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
http://owasp-juice.shop
MIT License
0 stars 0 forks source link

Code Security Report: 9 high severity findings, 57 total findings #236

Open mend-for-github-com[bot] opened 2 years ago

mend-for-github-com[bot] commented 2 years ago

Code Security Report

Latest Scan: 2022-12-15 09:55pm Total Findings: 57 Tested Project Files: 407 Detected Programming Languages: 3

Language: TypeScript

Severity CWE Vulnerability Type Count
Medium CWE-798 Hardcoded Password/Credentials 1

Details

No high vulnerability findings detected. To view information on the remaining findings, navigate to the Mend SAST Application.

Language: JavaScript / Node.js

Severity CWE Vulnerability Type Count
High CWE-22 Path/Directory Traversal 3
High CWE-943 NoSQL Injection 6
Medium CWE-798 Hardcoded Password/Credentials 26
Medium CWE-338 Weak Pseudo-Random 9

Details

The below list presents the 9 high vulnerability findings that need your attention. To view information on these findings, navigate to the Mend SAST Application.

Path/Directory Traversal (CWE-22) : 3

Findings

routes/profileImageUrlUpload.js:27 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L22-L27
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L15 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L27
routes/profileImageUrlUpload.js:28 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L23-L28
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L15 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L27 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageUrlUpload.js#L28
routes/profileImageFileUpload.js:26 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L21-L26
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L15 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L16 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L17 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L26

NoSQL Injection (CWE-943) : 6 #### Findings
routes/likeProductReviews.js:35 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/likeProductReviews.js#L30-L35
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/likeProductReviews.js#L13 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/likeProductReviews.js#L35
routes/profileImageFileUpload.js:34 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L29-L34
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L15 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L16 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L17 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/profileImageFileUpload.js#L34
routes/order.js:31 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/order.js#L26-L31
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/order.js#L19 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/order.js#L31
routes/likeProductReviews.js:18 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/likeProductReviews.js#L13-L18
Trace https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/likeProductReviews.js#L13 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/likeProductReviews.js#L18
routes/orderHistory.js:34 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/orderHistory.js#L29-L34
routes/updateProductReviews.js:14 https://github.com/hugh-mend/juice-shop/blob/feffcb8558d0872e55df40e54896d08023acb975/routes/updateProductReviews.js#L9-L14

Language: Python

Severity CWE Vulnerability Type Count
Medium CWE-798 Hardcoded Password/Credentials 11
Medium CWE-676 Miscellaneous Dangerous Functions 1

Details

No high vulnerability findings detected. To view information on the remaining findings, navigate to the Mend SAST Application.

github-actions[bot] commented 2 years ago

Thanks a lot for opening your first issue with us! 🧡 We'll get back to you shortly! ⏳ If it was a Support Request, please consider asking on the community chat next time! 💬