Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS vulnerability fix (powered by Mobb) #24

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

XSS vulnerability fix (powered by Mobb) #24

wants to merge 1 commit into from

Conversation

tomer-mobb
Copy link
Owner

This change fixes a medium severity (🟡) XSS issue reported by Checkmarx.

Issue description

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to theft of session cookies, redirection to malicious websites, or defacement of the webpage.

Fix instructions

Implement input validation and output encoding. This includes sanitizing user input and escaping special characters to prevent execution of injected scripts.

More info and fix customization are available in the Mobb platform

@tomer-mobb
Copy link
Owner Author

Logo
Checkmarx One – Scan Summary & Detailscc1eaf2c-939c-4380-98bf-4e1dc4992f44

New Issues

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2013-7285 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21342 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21344 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21345 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21346 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21347 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21350 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2021-21351 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
CRITICAL CVE-2022-1471 Maven-org.yaml:snakeyaml-1.33 Vulnerable Package
CRITICAL CVE-2023-34034 Maven-org.springframework.security:spring-security-web-6.1.0 Vulnerable Package
CRITICAL CVE-2023-34034 Maven-org.springframework.security:spring-security-config-6.1.0 Vulnerable Package
CRITICAL CVE-2024-31573 Maven-org.xmlunit:xmlunit-core-2.9.1 Vulnerable Package
CRITICAL CVE-2024-38821 Maven-org.springframework.security:spring-security-web-6.1.0 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-1.10.2 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-2.1.4 Vulnerable Package
HIGH CVE-2016-3674 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2017-7957 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26217 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26258 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21341 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21343 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21348 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21349 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-23358 Npm-underscore-1.10.2 Vulnerable Package
HIGH CVE-2021-29505 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39139 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39141 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39144 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39145 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39146 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39147 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39148 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39149 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39150 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39151 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39153 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39154 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-43859 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-40151 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-41966 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2023-1973 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2023-1973 Maven-io.undertow:undertow-servlet-2.3.6.Final Vulnerable Package
HIGH CVE-2023-24998 Maven-commons-fileupload:commons-fileupload-1.4 Vulnerable Package
HIGH CVE-2023-2976 Maven-com.google.guava:guava-31.1-jre Vulnerable Package
HIGH CVE-2023-3223 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2023-34053 Maven-org.springframework:spring-web-6.0.9 Vulnerable Package
HIGH CVE-2023-36478 Maven-org.eclipse.jetty.http2:http2-hpack-11.0.15 Vulnerable Package
HIGH CVE-2023-36478 Maven-org.eclipse.jetty:jetty-http-11.0.15 Vulnerable Package
HIGH CVE-2023-38286 Maven-org.thymeleaf:thymeleaf-3.1.1.RELEASE Vulnerable Package
HIGH CVE-2023-44487 Maven-org.eclipse.jetty.http2:http2-common-11.0.15 Vulnerable Package
HIGH CVE-2023-4639 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2023-51775 Maven-org.bitbucket.b_c:jose4j-0.9.3 Vulnerable Package
HIGH CVE-2023-5379 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2023-5685 Maven-org.jboss.xnio:xnio-api-3.8.8.Final Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.4.7 Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.4.7 Vulnerable Package
HIGH CVE-2023-6481 Maven-ch.qos.logback:logback-core-1.4.7 Vulnerable Package
HIGH CVE-2024-1635 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2024-22201 Maven-org.eclipse.jetty.http2:http2-common-11.0.15 Vulnerable Package
HIGH CVE-2024-22234 Maven-org.springframework.security:spring-security-core-6.1.0 Vulnerable Package
HIGH CVE-2024-22234 Maven-org.springframework.security:spring-security-web-6.1.0 Vulnerable Package
HIGH CVE-2024-22243 Maven-org.springframework:spring-web-6.0.9 Vulnerable Package
HIGH CVE-2024-22257 Maven-org.springframework.security:spring-security-core-6.1.0 Vulnerable Package
HIGH CVE-2024-22259 Maven-org.springframework:spring-web-6.0.9 Vulnerable Package
HIGH CVE-2024-22262 Maven-org.springframework:spring-web-6.0.9 Vulnerable Package
HIGH CVE-2024-38809 Maven-org.springframework:spring-web-6.0.9 Vulnerable Package
HIGH CVE-2024-38816 Maven-org.springframework:spring-webmvc-6.0.9 Vulnerable Package
HIGH CVE-2024-38819 Maven-org.springframework:spring-webmvc-6.0.9 Vulnerable Package
HIGH CVE-2024-4109 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2024-47072 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2024-47554 Maven-commons-io:commons-io-2.11.0 Vulnerable Package
HIGH CVE-2024-5971 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2024-6162 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH CVE-2024-7885 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
HIGH Missing User Instruction /Dockerfile_desktop: 1 A user should be specified in the dockerfile, otherwise the image will run as root
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java: 51 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java: 51 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java: 35 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java: 37 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java: 37 Attack Vector
MEDIUM Absolute_Path_Traversal /src/main/java/org/owasp/webgoat/webwolf/FileServer.java: 74 Attack Vector
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile_desktop: 12 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile_desktop: 12 When installing a package, its pin version should be defined
MEDIUM CVE-2015-9251 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2015-9251 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2016-10735 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2016-7103 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2018-14040 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-14040 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2018-14042 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2018-14042 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-20676 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-20677 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2019-8331 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-26259 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-39140 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-41182 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41183 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41184 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2022-31160 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2023-34035 Maven-org.springframework.security:spring-security-config-6.1.0 Vulnerable Package
MEDIUM CVE-2023-34055 Maven-org.springframework.boot:spring-boot-actuator-3.1.0 Vulnerable Package
MEDIUM CVE-2023-36479 Maven-org.eclipse.jetty:jetty-servlets-11.0.15 Vulnerable Package
MEDIUM CVE-2023-40167 Maven-org.eclipse.jetty:jetty-http-11.0.15 Vulnerable Package
MEDIUM CVE-2023-41329 Maven-com.github.tomakehurst:wiremock-3.0.0-beta-2 Vulnerable Package
MEDIUM CVE-2023-51074 Maven-com.jayway.jsonpath:json-path-2.8.0 Vulnerable Package
MEDIUM CVE-2024-1459 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
MEDIUM CVE-2024-3653 Maven-io.undertow:undertow-core-2.3.6.Final Vulnerable Package
MEDIUM CVE-2024-3653 Maven-io.undertow:undertow-servlet-2.3.6.Final Vulnerable Package
MEDIUM CVE-2024-38827 Maven-org.springframework.security:spring-security-core-6.1.0 Vulnerable Package
MEDIUM CVE-2024-38827 Maven-org.springframework.security:spring-security-crypto-6.1.0 Vulnerable Package
MEDIUM CVE-2024-38827 Maven-org.springframework.security:spring-security-web-6.1.0 Vulnerable Package
MEDIUM CVE-2024-38827 Maven-org.springframework.security:spring-security-config-6.1.0 Vulnerable Package
MEDIUM CVE-2024-6484 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2024-6484 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2024-6485 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2024-6485 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2024-6762 Maven-org.eclipse.jetty:jetty-servlets-11.0.15 Vulnerable Package
MEDIUM CVE-2024-6763 Maven-org.eclipse.jetty:jetty-http-11.0.15 Vulnerable Package
MEDIUM CVE-2024-6763 Maven-org.eclipse.jetty:jetty-server-11.0.15 Vulnerable Package
MEDIUM CVE-2024-8184 Maven-org.eclipse.jetty:jetty-server-11.0.15 Vulnerable Package
MEDIUM CVE-2024-9823 Maven-org.eclipse.jetty:jetty-servlets-11.0.15 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-2.1.4 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-1.10.2 Vulnerable Package
MEDIUM Improper_Restriction_of_XXE_Ref /src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java: 87 Attack Vector
MEDIUM Improper_Restriction_of_XXE_Ref /src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java: 73 Attack Vector
MEDIUM Improper_Restriction_of_XXE_Ref /src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java: 62 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java: 68 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java: 137 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java: 57 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java: 55 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java: 155 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java: 203 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java: 180 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java: 55 Attack Vector
MEDIUM JWT_No_Signature_Verification /src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java: 107 Attack Vector
MEDIUM JWT_Sensitive_Information_Exposure /src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java: 137 Attack Vector
MEDIUM Parameter_Tampering

More results are available on AST platform

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tomer-mobb