cx-flowrepo's People
Contributors
Watchers
cx-flowrepo's Issues
CX Reflected_XSS_All_Clients @ BookDetail_jsp1.java [master]
Reflected_XSS_All_Clients issue exists @ BookDetail_jsp1.java in branch master
Method getParam at line 167 of BookDetail_jsp1.java gets user input for the paramName element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method Detail_Show at line 501 of BookDetail_jsp1.java. This may enable a Cross-Site-Scripting attack.
Severity: High
CWE:79
Lines: 168
String param = req.getParameter(paramName);
CX SQL_Injection @ BookDetail_jsp.java [alexey-2]
SQL_Injection issue exists @ BookDetail_jsp.java in branch alexey-2
The application's RatingAction method executes an SQL query with executeUpdate, at line 883 of BookDetail_jsp.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input paramName, which is read by the getParam method at line 167 of BookDetail_jsp.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.
Severity: High
CWE:89
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX Hardcoded_password_in_Connection_String @ BookDetail_jsp2.java [master]
Hardcoded_password_in_Connection_String issue exists @ BookDetail_jsp2.java in branch master
The application contains hardcoded connection details, """", at line 35 of BookDetail_jsp2.java. This connection string contains a hardcoded password, which is used in cn at line 115 of BookDetail_jsp2.java to connect to a database server with getConnection. This can expose the database password, and impede proper password management.
Severity: Medium
CWE:547
Vulnerability details and guidance
Lines: 35
static final String DBpassword="";
CX SQL_Injection @ BookDetail_jsp.java [develop]
SQL_Injection issue exists @ BookDetail_jsp.java in branch develop
The application's RatingAction method executes an SQL query with executeUpdate, at line 883 of BookDetail_jsp.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input paramName, which is read by the getParam method at line 167 of BookDetail_jsp.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.
Severity: High
CWE:89
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX SQL_Injection @ /BookDetail_jsp2.java [master]
SQL_Injection issue exists @ /BookDetail_jsp2.java in branch master
An attacker can exploit missing input validation to modify the commands sent to the database. This will allow the attacker to read, change or delete sensitive data.
Severity: HIGH
CWE:89
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX HTTP_Response_Splitting @ BookDetail_jsp.java [master]
HTTP_Response_Splitting issue exists @ BookDetail_jsp.java in branch master
Method getParam at line 167 of BookDetail_jsp.java gets user input from the paramName element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in an HTTP response header in DetailAction at line 431 of BookDetail_jsp.java. This may enable an HTTP Response Splitting attack, in certain older versions that do not mitigate this attack.
Severity: Medium
CWE:113
Vulnerability details and guidance
String param = req.getParameter(paramName);
response.sendRedirect("Login.jsp?querystring=" + toURL(request.getQueryString()) + "&ret_page=" + toURL(request.getRequestURI()));
CX SQL_Injection @ BookDetail_jsp.java [master]
SQL_Injection issue exists @ BookDetail_jsp.java in branch master
The application's RatingAction method executes an SQL query with executeUpdate, at line 883 of BookDetail_jsp.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input paramName, which is read by the getParam method at line 167 of BookDetail_jsp.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.
Severity: High
CWE:89
Lines: 168
String param = req.getParameter(paramName);
CX Hardcoded_password_in_Connection_String @ BookDetail_jsp.java [master]
Hardcoded_password_in_Connection_String issue exists @ BookDetail_jsp.java in branch master
The application contains hardcoded connection details, """", at line 35 of BookDetail_jsp.java. This connection string contains a hardcoded password, which is used in cn at line 115 of BookDetail_jsp.java to connect to a database server with getConnection. This can expose the database password, and impede proper password management.
Severity: Medium
CWE:547
Vulnerability details and guidance
Lines: 35
static final String DBpassword="";
CX Reflected_XSS_All_Clients @ BookDetail_jsp.java [develop]
Reflected_XSS_All_Clients issue exists @ BookDetail_jsp.java in branch develop
Method getParam at line 167 of BookDetail_jsp.java gets user input for the paramName element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method Detail_Show at line 501 of BookDetail_jsp.java. This may enable a Cross-Site-Scripting attack.
Severity: High
CWE:79
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX XSRF @ BookDetail_jsp2.java [master]
XSRF issue exists @ BookDetail_jsp2.java in branch master
Method getParam at line 167 of BookDetail_jsp2.java gets a parameter from a user request URL from element paramName. This parameter value flows through the code and is eventually used to modify database contents. The application does not require renewed user authentication for the request. This may enable Cross-Site Request Forgery (XSRF).
Severity: Medium
CWE:352
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX XSRF @ BookDetail_jsp.java [master]
XSRF issue exists @ BookDetail_jsp.java in branch master
Method getParam at line 167 of BookDetail_jsp.java gets a parameter from a user request URL from element paramName. This parameter value flows through the code and is eventually used to modify database contents. The application does not require renewed user authentication for the request. This may enable Cross-Site Request Forgery (XSRF).
Severity: Medium
CWE:352
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
002
Reflected_XSS_All_Clients issue exists @ BookDetail_jsp.java in branch master
Method getParam at line 167 of BookDetail_jsp.java gets user input for the paramName element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method Detail_Show at line 501 of BookDetail_jsp.java. This may enable a Cross-Site-Scripting attack.
Severity: High
CWE:79
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX Reflected_XSS_All_Clients @ BookDetail_jsp.java [master]
Reflected_XSS_All_Clients issue exists @ BookDetail_jsp.java in branch master
Method getParam at line 167 of BookDetail_jsp.java gets user input for the paramName element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method Detail_Show at line 501 of BookDetail_jsp.java. This may enable a Cross-Site-Scripting attack.
Severity: High
CWE:79
Lines: 168
String param = req.getParameter(paramName);
CX Reflected_XSS_All_Clients @ BookDetail_jsp.java [alexey-2]
Reflected_XSS_All_Clients issue exists @ BookDetail_jsp.java in branch alexey-2
Method getParam at line 167 of BookDetail_jsp.java gets user input for the paramName element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method Detail_Show at line 501 of BookDetail_jsp.java. This may enable a Cross-Site-Scripting attack.
Severity: High
CWE:79
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
001
SQL_Injection issue exists @ BookDetail_jsp.java in branch master
The application's RatingAction method executes an SQL query with executeUpdate, at line 883 of BookDetail_jsp.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input paramName, which is read by the getParam method at line 167 of BookDetail_jsp.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.
Severity: High
CWE:89
Vulnerability details and guidance
Lines: 168
String param = req.getParameter(paramName);
CX Cross_Site_History_Manipulation @ BookDetail_jsp.java [master]
Cross_Site_History_Manipulation issue exists @ BookDetail_jsp.java in branch master
Method checkSecurity at line 397 of BookDetail_jsp.java may leak server-side conditional values, enabling user tracking from another website. This may constitute a Privacy Violation.
Severity: Medium
CWE:203
Vulnerability details and guidance
Lines: 408
if ( bRedirect ) {
CX Cross_Site_History_Manipulation @ BookDetail_jsp2.java [master]
Cross_Site_History_Manipulation issue exists @ BookDetail_jsp2.java in branch master
Method checkSecurity at line 397 of BookDetail_jsp2.java may leak server-side conditional values, enabling user tracking from another website. This may constitute a Privacy Violation.
Severity: Medium
CWE:203
Vulnerability details and guidance
Lines: 408
if ( bRedirect ) {
CX HTTP_Response_Splitting @ BookDetail_jsp2.java [master]
HTTP_Response_Splitting issue exists @ BookDetail_jsp2.java in branch master
Method getParam at line 167 of BookDetail_jsp2.java gets user input from the paramName element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in an HTTP response header in DetailAction at line 431 of BookDetail_jsp2.java. This may enable an HTTP Response Splitting attack, in certain older versions that do not mitigate this attack.
Severity: Medium
CWE:113
Vulnerability details and guidance
String param = req.getParameter(paramName);
response.sendRedirect("Login.jsp?querystring=" + toURL(request.getQueryString()) + "&ret_page=" + toURL(request.getRequestURI()));
CX SQL_Injection @ BookDetail_jsp1.java [master]
SQL_Injection issue exists @ BookDetail_jsp1.java in branch master
The application's RatingAction method executes an SQL query with executeUpdate, at line 883 of BookDetail_jsp1.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input paramName, which is read by the getParam method at line 167 of BookDetail_jsp1.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.
Severity: High
CWE:89
Lines: 168
String param = req.getParameter(paramName);
CX Open_Redirect @ BookDetail_jsp2.java [master]
Open_Redirect issue exists @ BookDetail_jsp2.java in branch master
A possible open redirect has been found at line 397 in BookDetail_jsp2.java file. This might lead to an untrusted site which mainly used for phishing.
Severity: Low
CWE:601
String param = req.getParameter(paramName);
response.sendRedirect("Login.jsp?querystring=" + toURL(request.getQueryString()) + "&ret_page=" + toURL(request.getRequestURI()));
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.