Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe use of target blank vulnerability fix (powered by Mobb) #17

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Unsafe use of target blank vulnerability fix (powered by Mobb) #17

wants to merge 1 commit into from

Conversation

tomer-mobb
Copy link
Owner

This change fixes a low severity (🟢) Unsafe use of target blank issue reported by Checkmarx.

Issue description

Unsafe Target Blank occurs when developers use the target='_blank' attribute without the rel='noopener' attribute in anchor tags. This can lead to security vulnerabilities such as tabnabbing or reverse tabnabbing, allowing attackers to hijack user sessions or perform phishing attacks.

Fix instructions

Ensure that anchor tags with target='_blank' attribute include the rel='noopener' attribute to prevent potential security vulnerabilities. This prevents the newly opened page from accessing the window.opener property, mitigating the risk of tabnabbing or reverse tabnabbing attacks.

More info and fix customization are available in the Mobb platform

@tomer-mobb
Copy link
Owner Author

Logo
Checkmarx One – Scan Summary & Details3e650af1-ab01-49db-a82e-bd03a13d9777

New Issues

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2013-7285 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2016-1000027 Maven-org.springframework:spring-webmvc-5.3.21 Vulnerable Package
CRITICAL CVE-2016-1000027 Maven-org.springframework:spring-web-5.3.21 Vulnerable Package
CRITICAL CVE-2021-21342 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21344 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21345 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21346 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21347 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21350 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21351 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2022-1471 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
CRITICAL CVE-2022-31692 Maven-org.springframework.security:spring-security-core-5.7.2 Vulnerable Package
CRITICAL CVE-2022-41853 Maven-org.hsqldb:hsqldb-2.5.2 Vulnerable Package
CRITICAL CVE-2022-42889 Maven-org.apache.commons:commons-text-1.9 Vulnerable Package
CRITICAL CVE-2023-20873 Maven-org.springframework.boot:spring-boot-actuator-autoconfigure-2.7.1 Vulnerable Package
CRITICAL CVE-2023-34034 Maven-org.springframework.security:spring-security-config-5.7.2 Vulnerable Package
CRITICAL CVE-2023-34034 Maven-org.springframework.security:spring-security-web-5.7.2 Vulnerable Package
CRITICAL CVE-2024-31573 Maven-org.xmlunit:xmlunit-core-2.9.0 Vulnerable Package
CRITICAL SQL_Injection /src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java: 56 Attack Vector
CRITICAL SQL_Injection /src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java: 52 Attack Vector
CRITICAL SQL_Injection /src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java: 47 Attack Vector
HIGH CVE-2016-10707 Npm-jquery-2.1.4 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-1.10.2 Vulnerable Package
HIGH CVE-2016-3674 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2017-7957 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26217 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26258 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21341 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21343 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21348 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21349 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-29505 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39139 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39141 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39144 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39145 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39146 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39147 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39148 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39149 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39150 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39151 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39153 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39154 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-43859 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-0084 Maven-org.jboss.xnio:xnio-api-3.8.7.Final Vulnerable Package
HIGH CVE-2022-1259 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2022-2053 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
HIGH CVE-2022-31690 Maven-org.springframework.security:spring-security-web-5.7.2 Vulnerable Package
HIGH CVE-2022-40151 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-40152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-41966 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-42003 Maven-com.fasterxml.jackson.core:jackson-databind-2.13.3 Vulnerable Package
HIGH CVE-2022-42004 Maven-com.fasterxml.jackson.core:jackson-databind-2.13.3 Vulnerable Package
HIGH CVE-2022-4492 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2023-1108 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2023-1370 Maven-net.minidev:json-smart-2.4.8 Vulnerable Package
HIGH CVE-2023-20860 Maven-org.springframework:spring-webmvc-5.3.21 Vulnerable Package
HIGH CVE-2023-20883 Maven-org.springframework.boot:spring-boot-autoconfigure-2.7.1 Vulnerable Package
HIGH CVE-2023-24998 Maven-commons-fileupload:commons-fileupload-1.4 Vulnerable Package
HIGH CVE-2023-2976 Maven-com.google.guava:guava-30.1-jre Vulnerable Package
HIGH CVE-2023-31582 Maven-org.bitbucket.b_c:jose4j-0.7.6 Vulnerable Package
HIGH CVE-2023-36478 Maven-org.eclipse.jetty:jetty-http-9.4.48.v20220622 Vulnerable Package
HIGH CVE-2023-38286 Maven-org.thymeleaf:thymeleaf-3.0.15.RELEASE Vulnerable Package
HIGH CVE-2023-51775 Maven-org.bitbucket.b_c:jose4j-0.7.6 Vulnerable Package
HIGH CVE-2023-5379 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2023-5685 Maven-org.jboss.xnio:xnio-api-3.8.7.Final Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.2.11 Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.2.11 Vulnerable Package
HIGH CVE-2023-6481 Maven-ch.qos.logback:logback-core-1.2.11 Vulnerable Package
HIGH CVE-2024-22243 Maven-org.springframework:spring-web-5.3.21 Vulnerable Package
HIGH CVE-2024-22257 Maven-org.springframework.security:spring-security-core-5.7.2 Vulnerable Package
HIGH CVE-2024-22259 Maven-org.springframework:spring-web-5.3.21 Vulnerable Package
HIGH CVE-2024-22262 Maven-org.springframework:spring-web-5.3.21 Vulnerable Package
HIGH CVE-2024-5971 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2024-6162 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH CVE-2024-7885 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
HIGH Cx8bc13cba-30bf Maven-org.bitbucket.b_c:jose4j-0.7.6 Vulnerable Package
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java: 51 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java: 51 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java: 35 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java: 37 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java: 37 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/webwolf/FileServer.java: 74 Attack Vector
MEDIUM CVE-2015-9251 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2015-9251 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2016-10735 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2016-7103 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2018-14040 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2018-14040 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-14042 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2018-14042 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-20676 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-20677 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2019-8331 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-26259 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-29425 Maven-commons-io:commons-io-2.6 Vulnerable Package
MEDIUM CVE-2021-39140 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-41182 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41183 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41184 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2022-2764 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
MEDIUM CVE-2022-31160 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2022-36033 Maven-org.jsoup:jsoup-1.14.3 Vulnerable Package
MEDIUM CVE-2022-38749 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
MEDIUM CVE-2022-38750 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
MEDIUM CVE-2022-38751 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
MEDIUM CVE-2022-38752 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
MEDIUM CVE-2022-41854 Maven-org.yaml:snakeyaml-1.30 Vulnerable Package
MEDIUM CVE-2023-20861 Maven-org.springframework:spring-expression-5.3.21 Vulnerable Package
MEDIUM CVE-2023-20862 Maven-org.springframework.security:spring-security-config-5.7.2 Vulnerable Package
MEDIUM CVE-2023-20862 Maven-org.springframework.security:spring-security-web-5.7.2 Vulnerable Package
MEDIUM CVE-2023-20863 Maven-org.springframework:spring-expression-5.3.21 Vulnerable Package
MEDIUM CVE-2023-26048 Maven-org.eclipse.jetty:jetty-util-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-26048 Maven-org.eclipse.jetty:jetty-http-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-26048 Maven-org.eclipse.jetty:jetty-server-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-26049 Maven-org.eclipse.jetty:jetty-server-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-26049 Maven-org.eclipse.jetty:jetty-http-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-34055 Maven-org.springframework.boot:spring-boot-2.7.1 Vulnerable Package
MEDIUM CVE-2023-36479 Maven-org.eclipse.jetty:jetty-servlets-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-40167 Maven-org.eclipse.jetty:jetty-http-9.4.48.v20220622 Vulnerable Package
MEDIUM CVE-2023-41329 Maven-com.github.tomakehurst:wiremock-2.27.2 Vulnerable Package
MEDIUM CVE-2023-51074 Maven-com.jayway.jsonpath:json-path-2.7.0 Vulnerable Package
MEDIUM CVE-2024-1459 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
MEDIUM CVE-2024-3653 Maven-io.undertow:undertow-core-2.2.18.Final Vulnerable Package
MEDIUM CVE-2024-3653 Maven-io.undertow:undertow-servlet-2.2.18.Final Vulnerable Package
MEDIUM CVE-2024-38808 Maven-org.springframework:spring-expression-5.3.21 Vulnerable Package
MEDIUM CVE-2024-6484 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2024-6484 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2024-6485 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2024-6485 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-2.1.4 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-1.10.2 Vulnerable Package
MEDIUM Improper_Restriction_of_XXE_Ref /src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java: 87 Attack Vector
MEDIUM Improper_Restriction_of_XXE_Ref /src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java: 73 Attack Vector
MEDIUM Improper_Restriction_of_XXE_Ref /src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java: 62 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java: 70 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java: 207 Attack Vector
MEDIUM

More results are available on AST platform

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tomer-mobb