All high vulnerabilities reported be checkmarx have been confirmed and fixed.
Other vulnerabilities are still either in review, either confirmed but all of them are related to an incomplete filtering of the inputs.
For the confirmed ones, the implementation of the fix is in progress: to avoid further vulnerabilities related to a lack of filtering, the on going implementation hook the inputs filters at a lower level in ev-server and still need work.
jerome-benoit
commented
5 years ago
Checkmarx first run (ev-server): https://cx.wdf.sap.corp/CxWebClient/ViewerMain.aspx?scanid=4094369&projectid=58240
Checkmarx second run (ev-server & ev-dashboard-new): https://cx.wdf.sap.corp/CxWebClient/ViewerMain.aspx?scanid=4124454&projectid=58694
Checkmarx third run (ev-server & ev-dashboard-new): https://cx.wdf.sap.corp/CxWebClient/ViewerMain.aspx?scanid=4124424&projectid=58693
Pentest outcomes: http://10.55.129.88:5985
All high vulnerabilities reported be checkmarx have been confirmed and fixed.
Other vulnerabilities are still either in review, either confirmed but all of them are related to an incomplete filtering of the inputs. For the confirmed ones, the implementation of the fix is in progress: to avoid further vulnerabilities related to a lack of filtering, the on going implementation hook the inputs filters at a lower level in ev-server and still need work.