github-actions[bot]
commented
2 years ago Veracode issue link to PR: https://github.com/wasptree/verademo/pull/387
Closed github-actions[bot] closed 2 years ago
github-actions[bot]
commented
2 years ago Veracode issue link to PR: https://github.com/wasptree/verademo/pull/387
https://github.com/wasptree/verademo/blob/360fca1ffde66d61e85aa0f3190c17bc0f2b535d/com/veracode/verademo/controller/UserController.java#L428-L438
Filename: com/veracode/verademo/controller/UserController.java
Line: 433
CWE: 93 (Improper Neutralization of CRLF Sequences ('CRLF Injection'))
This call to javax.mail.Message.setSubject() contains a CRLF injection flaw. Writing untrusted input to an interface or external application that treats the CRLF (carriage return line feed) sequence as a delimiter to separate lines or records can result in that data being misinterpreted. The first argument to setSubject() contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Sanitize CRLF sequences from untrusted input. References: CWE OWASP Supported Cleansers