@zerothreatai/vulnerability-registry 2.0.0 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/categories/authentication.js +17 -0
- package/dist/categories/configuration.js +501 -0
- package/dist/categories/injection.js +34 -0
- package/dist/categories/sensitive-paths.js +84 -0
- package/dist/categories/ssrf.js +11 -0
- package/dist/categories/xss.js +15 -0
- package/dist/category.d.ts +6 -0
- package/dist/category.js +15 -0
- package/dist/error-codes.d.ts +20 -0
- package/dist/error-codes.js +20 -0
- package/dist/index.d.ts +9 -1
- package/dist/index.js +5 -1
- package/dist/scanner.d.ts +6 -0
- package/dist/scanner.js +22 -0
- package/dist/types.d.ts +2 -0
- package/dist-cjs/categories/authentication.js +17 -0
- package/dist-cjs/categories/configuration.js +501 -0
- package/dist-cjs/categories/injection.js +34 -0
- package/dist-cjs/categories/sensitive-paths.js +84 -0
- package/dist-cjs/categories/ssrf.js +11 -0
- package/dist-cjs/categories/xss.js +15 -0
- package/dist-cjs/category.js +18 -0
- package/dist-cjs/error-codes.js +20 -0
- package/dist-cjs/index.js +7 -1
- package/dist-cjs/scanner.js +25 -0
- package/package.json +1 -1
- package/src/categories/authentication.js +54 -40
- package/src/categories/authentication.ts +134 -117
- package/src/categories/configuration.js +990 -114
- package/src/categories/configuration.ts +1625 -1104
- package/src/categories/injection.js +105 -74
- package/src/categories/injection.ts +129 -95
- package/src/categories/sensitive-paths.js +255 -174
- package/src/categories/sensitive-paths.ts +84 -0
- package/src/categories/ssrf.js +36 -28
- package/src/categories/ssrf.ts +11 -0
- package/src/categories/xss.js +47 -35
- package/src/categories/xss.ts +15 -0
- package/src/category.ts +16 -0
- package/src/error-codes.d.ts +38 -0
- package/src/error-codes.js +41 -6
- package/src/error-codes.ts +25 -5
- package/src/index.js +33 -48
- package/src/index.ts +20 -14
- package/src/scanner.ts +23 -0
- package/src/types.d.ts +2 -0
- package/src/types.js +1 -2
- package/src/types.ts +4 -2
- package/zerothreatai-vulnerability-registry-4npm .0.0.tgz +0 -0
|
@@ -1,22 +1,20 @@
|
|
|
1
|
-
"use strict";
|
|
2
1
|
/**
|
|
3
2
|
* Vulnerability Registry - Injection Vulnerabilities
|
|
4
3
|
*
|
|
5
4
|
* Definitions for SQL Injection, Command Injection, SSTI, XXE, LFI
|
|
6
5
|
*/
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
const error_codes_js_1 = require("../error-codes.js");
|
|
10
|
-
exports.INJECTION_VULNERABILITIES = {
|
|
6
|
+
import { VulnerabilityCode } from '../error-codes.js';
|
|
7
|
+
export const INJECTION_VULNERABILITIES = {
|
|
11
8
|
// ========================================
|
|
12
9
|
// SQL INJECTION
|
|
13
10
|
// ========================================
|
|
14
|
-
[
|
|
11
|
+
[VulnerabilityCode.SQLI_ERROR_BASED]: {
|
|
15
12
|
id: 1,
|
|
16
|
-
code:
|
|
13
|
+
code: VulnerabilityCode.SQLI_ERROR_BASED,
|
|
17
14
|
title: 'SQL Injection - Error Based',
|
|
18
15
|
description: 'Error-based SQL injection vulnerability detected where database error messages are reflected in the application response, allowing attackers to extract sensitive data from the database by manipulating SQL queries and analyzing error output.',
|
|
19
16
|
severity: 'high',
|
|
17
|
+
levelId: 2,
|
|
20
18
|
category: 'injection',
|
|
21
19
|
scanner: 'sql-injection',
|
|
22
20
|
cvss: {
|
|
@@ -32,12 +30,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
32
30
|
],
|
|
33
31
|
remediation: 'Use parameterized queries or prepared statements. Implement input validation and sanitization. Use stored procedures with parameterized inputs. Apply principle of least privilege to database accounts.',
|
|
34
32
|
},
|
|
35
|
-
[
|
|
33
|
+
[VulnerabilityCode.SQLI_BOOLEAN_BASED]: {
|
|
36
34
|
id: 2,
|
|
37
|
-
code:
|
|
35
|
+
code: VulnerabilityCode.SQLI_BOOLEAN_BASED,
|
|
38
36
|
title: 'SQL Injection - Boolean Based Blind',
|
|
39
37
|
description: 'Boolean-based blind SQL injection vulnerability where the application responds differently based on whether injected conditions evaluate to true or false, enabling attackers to infer database contents one bit at a time through systematic query manipulation.',
|
|
40
38
|
severity: 'high',
|
|
39
|
+
levelId: 2,
|
|
41
40
|
category: 'injection',
|
|
42
41
|
scanner: 'sql-injection',
|
|
43
42
|
cvss: {
|
|
@@ -53,12 +52,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
53
52
|
],
|
|
54
53
|
remediation: 'Use parameterized queries or prepared statements. Implement consistent error handling that does not reveal query success/failure. Apply input validation and output encoding.',
|
|
55
54
|
},
|
|
56
|
-
[
|
|
55
|
+
[VulnerabilityCode.SQLI_TIME_BASED]: {
|
|
57
56
|
id: 3,
|
|
58
|
-
code:
|
|
57
|
+
code: VulnerabilityCode.SQLI_TIME_BASED,
|
|
59
58
|
title: 'SQL Injection - Time Based Blind',
|
|
60
59
|
description: 'Time-based blind SQL injection vulnerability where attackers can infer database contents by measuring response time differences caused by injected time delay functions like SLEEP() or WAITFOR, enabling complete database extraction through timing analysis.',
|
|
61
60
|
severity: 'high',
|
|
61
|
+
levelId: 2,
|
|
62
62
|
category: 'injection',
|
|
63
63
|
scanner: 'sql-injection',
|
|
64
64
|
cvss: {
|
|
@@ -74,12 +74,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
74
74
|
],
|
|
75
75
|
remediation: 'Use parameterized queries or prepared statements. Implement query timeout limits. Apply input validation and sanitization. Monitor for abnormally slow queries.',
|
|
76
76
|
},
|
|
77
|
-
[
|
|
77
|
+
[VulnerabilityCode.SQLI_STACK_BASED]: {
|
|
78
78
|
id: 4,
|
|
79
|
-
code:
|
|
79
|
+
code: VulnerabilityCode.SQLI_STACK_BASED,
|
|
80
80
|
title: 'SQL Injection - Stacked Queries',
|
|
81
81
|
description: 'Critical stacked queries SQL injection vulnerability allowing attackers to execute multiple SQL statements in a single query, enabling destructive operations like DROP TABLE, INSERT into admin tables, or creating backdoor accounts with full database control.',
|
|
82
82
|
severity: 'critical',
|
|
83
|
+
levelId: 1,
|
|
83
84
|
category: 'injection',
|
|
84
85
|
scanner: 'sql-injection',
|
|
85
86
|
cvss: {
|
|
@@ -95,12 +96,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
95
96
|
],
|
|
96
97
|
remediation: 'Use parameterized queries exclusively. Disable multi-statement execution in database drivers. Implement strict input validation. Apply least privilege database permissions and prevent DDL execution.',
|
|
97
98
|
},
|
|
98
|
-
[
|
|
99
|
+
[VulnerabilityCode.SQLI_UNION_BASED]: {
|
|
99
100
|
id: 5,
|
|
100
|
-
code:
|
|
101
|
+
code: VulnerabilityCode.SQLI_UNION_BASED,
|
|
101
102
|
title: 'SQL Injection - UNION Based',
|
|
102
103
|
description: 'UNION-based SQL injection vulnerability allowing attackers to append additional SELECT queries using UNION operator, enabling direct extraction of data from other database tables including user credentials, personal information, and sensitive business data.',
|
|
103
104
|
severity: 'high',
|
|
105
|
+
levelId: 2,
|
|
104
106
|
category: 'injection',
|
|
105
107
|
scanner: 'sql-injection',
|
|
106
108
|
cvss: {
|
|
@@ -119,12 +121,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
119
121
|
// ========================================
|
|
120
122
|
// COMMAND INJECTION
|
|
121
123
|
// ========================================
|
|
122
|
-
[
|
|
124
|
+
[VulnerabilityCode.CMDI_OOB_CONFIRMED]: {
|
|
123
125
|
id: 6,
|
|
124
|
-
code:
|
|
126
|
+
code: VulnerabilityCode.CMDI_OOB_CONFIRMED,
|
|
125
127
|
title: 'OS Command Injection - OOB Confirmed',
|
|
126
128
|
description: 'Critical OS command injection vulnerability confirmed through out-of-band callback detection, proving that attacker-controlled shell commands are being executed on the server operating system with full access to system resources and potential for complete server compromise.',
|
|
127
129
|
severity: 'critical',
|
|
130
|
+
levelId: 1,
|
|
128
131
|
category: 'injection',
|
|
129
132
|
scanner: 'command-injection',
|
|
130
133
|
cvss: {
|
|
@@ -140,12 +143,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
140
143
|
],
|
|
141
144
|
remediation: 'Avoid system calls with user input entirely. Use language-specific APIs instead of shell commands. Implement strict input validation with allowlists. Run applications with minimal OS privileges in sandboxed environments.',
|
|
142
145
|
},
|
|
143
|
-
[
|
|
146
|
+
[VulnerabilityCode.CMDI_REFLECTED]: {
|
|
144
147
|
id: 7,
|
|
145
|
-
code:
|
|
148
|
+
code: VulnerabilityCode.CMDI_REFLECTED,
|
|
146
149
|
title: 'OS Command Injection - Reflected Output',
|
|
147
150
|
description: 'OS command injection vulnerability confirmed by command output being reflected in the application response, indicating that shell commands execute on the server and their results are returned to the attacker for data exfiltration and system reconnaissance.',
|
|
148
151
|
severity: 'critical',
|
|
152
|
+
levelId: 1,
|
|
149
153
|
category: 'injection',
|
|
150
154
|
scanner: 'command-injection',
|
|
151
155
|
cvss: {
|
|
@@ -161,12 +165,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
161
165
|
],
|
|
162
166
|
remediation: 'Replace shell command execution with native language APIs. Implement strict input validation using allowlists. Escape shell metacharacters if commands are unavoidable. Sandbox application execution environments.',
|
|
163
167
|
},
|
|
164
|
-
[
|
|
168
|
+
[VulnerabilityCode.CMDI_TIME_BASED]: {
|
|
165
169
|
id: 8,
|
|
166
|
-
code:
|
|
170
|
+
code: VulnerabilityCode.CMDI_TIME_BASED,
|
|
167
171
|
title: 'OS Command Injection - Time Based',
|
|
168
172
|
description: 'Time-based OS command injection vulnerability detected through measurable response time delays caused by injected sleep or ping commands, strongly indicating that shell commands execute on the server even though output is not directly visible in responses.',
|
|
169
173
|
severity: 'high',
|
|
174
|
+
levelId: 2,
|
|
170
175
|
category: 'injection',
|
|
171
176
|
scanner: 'command-injection',
|
|
172
177
|
cvss: {
|
|
@@ -182,12 +187,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
182
187
|
],
|
|
183
188
|
remediation: 'Avoid executing system commands with user input. Use native APIs for required functionality. Implement strict input validation. Set command execution timeouts and monitor for anomalous delays.',
|
|
184
189
|
},
|
|
185
|
-
[
|
|
190
|
+
[VulnerabilityCode.CMDI_ERROR_BASED]: {
|
|
186
191
|
id: 9,
|
|
187
|
-
code:
|
|
192
|
+
code: VulnerabilityCode.CMDI_ERROR_BASED,
|
|
188
193
|
title: 'OS Command Injection - Error Based',
|
|
189
194
|
description: 'Potential OS command injection vulnerability indicated by distinctive error messages or system-level exceptions in the application response when malformed shell payloads are submitted, suggesting command execution attempts reach the operating system interpreter.',
|
|
190
195
|
severity: 'medium',
|
|
196
|
+
levelId: 3,
|
|
191
197
|
category: 'injection',
|
|
192
198
|
scanner: 'command-injection',
|
|
193
199
|
cvss: {
|
|
@@ -206,12 +212,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
206
212
|
// ========================================
|
|
207
213
|
// SERVER-SIDE TEMPLATE INJECTION
|
|
208
214
|
// ========================================
|
|
209
|
-
[
|
|
215
|
+
[VulnerabilityCode.SSTI_JINJA2]: {
|
|
210
216
|
id: 10,
|
|
211
|
-
code:
|
|
217
|
+
code: VulnerabilityCode.SSTI_JINJA2,
|
|
212
218
|
title: 'Server-Side Template Injection - Jinja2',
|
|
213
219
|
description: 'Critical server-side template injection vulnerability in Jinja2 (Python/Flask) where user input is processed as template code, enabling attackers to execute arbitrary Python code on the server through template expressions like {{config}} or {{request.application.__globals__}}.',
|
|
214
220
|
severity: 'critical',
|
|
221
|
+
levelId: 1,
|
|
215
222
|
category: 'injection',
|
|
216
223
|
scanner: 'ssti',
|
|
217
224
|
cvss: {
|
|
@@ -227,12 +234,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
227
234
|
],
|
|
228
235
|
remediation: 'Never pass user input directly to template rendering. Use sandboxed template environments with restricted builtins. Prefer logic-less templates like Mustache. Implement strict input validation before template processing.',
|
|
229
236
|
},
|
|
230
|
-
[
|
|
237
|
+
[VulnerabilityCode.SSTI_TWIG]: {
|
|
231
238
|
id: 11,
|
|
232
|
-
code:
|
|
239
|
+
code: VulnerabilityCode.SSTI_TWIG,
|
|
233
240
|
title: 'Server-Side Template Injection - Twig',
|
|
234
241
|
description: 'Critical server-side template injection vulnerability in Twig (PHP/Symfony) where user input is evaluated as template expressions, allowing attackers to execute arbitrary PHP code on the server through filter chains and object method invocations within template syntax.',
|
|
235
242
|
severity: 'critical',
|
|
243
|
+
levelId: 1,
|
|
236
244
|
category: 'injection',
|
|
237
245
|
scanner: 'ssti',
|
|
238
246
|
cvss: {
|
|
@@ -248,12 +256,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
248
256
|
],
|
|
249
257
|
remediation: 'Avoid rendering user input as templates. Use Twig sandbox mode with whitelisted tags, filters, and functions. Upgrade to latest Twig version with security patches. Validate and sanitize all inputs.',
|
|
250
258
|
},
|
|
251
|
-
[
|
|
259
|
+
[VulnerabilityCode.SSTI_FREEMARKER]: {
|
|
252
260
|
id: 12,
|
|
253
|
-
code:
|
|
261
|
+
code: VulnerabilityCode.SSTI_FREEMARKER,
|
|
254
262
|
title: 'Server-Side Template Injection - FreeMarker',
|
|
255
263
|
description: 'Critical server-side template injection vulnerability in FreeMarker (Java) where user-controlled data is interpreted as template directives, enabling remote code execution through Java class instantiation and method invocation via FreeMarker built-in expressions.',
|
|
256
264
|
severity: 'critical',
|
|
265
|
+
levelId: 1,
|
|
257
266
|
category: 'injection',
|
|
258
267
|
scanner: 'ssti',
|
|
259
268
|
cvss: {
|
|
@@ -269,12 +278,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
269
278
|
],
|
|
270
279
|
remediation: 'Never interpolate user input into templates. Configure FreeMarker with restricted class resolver. Disable new() built-in and api built-ins. Use template configuration to restrict available classes.',
|
|
271
280
|
},
|
|
272
|
-
[
|
|
281
|
+
[VulnerabilityCode.SSTI_GENERIC]: {
|
|
273
282
|
id: 13,
|
|
274
|
-
code:
|
|
283
|
+
code: VulnerabilityCode.SSTI_GENERIC,
|
|
275
284
|
title: 'Server-Side Template Injection - Generic',
|
|
276
285
|
description: 'Server-side template injection vulnerability detected where user input is being processed by a template engine, potentially allowing code execution. The specific template engine could not be determined, but mathematical expression evaluation confirms server-side processing of user input.',
|
|
277
286
|
severity: 'high',
|
|
287
|
+
levelId: 2,
|
|
278
288
|
category: 'injection',
|
|
279
289
|
scanner: 'ssti',
|
|
280
290
|
cvss: {
|
|
@@ -290,12 +300,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
290
300
|
],
|
|
291
301
|
remediation: 'Identify the template engine in use and apply engine-specific mitigations. Never pass user input to template rendering. Use sandboxed template environments. Implement strict input validation.',
|
|
292
302
|
},
|
|
293
|
-
[
|
|
303
|
+
[VulnerabilityCode.SSTI_VELOCITY]: {
|
|
294
304
|
id: 14,
|
|
295
|
-
code:
|
|
305
|
+
code: VulnerabilityCode.SSTI_VELOCITY,
|
|
296
306
|
title: 'Server-Side Template Injection - Velocity',
|
|
297
307
|
description: 'Critical server-side template injection vulnerability in Apache Velocity (Java) where user-controlled data is processed as template directives, enabling arbitrary Java code execution through Velocity Template Language expressions and class instantiation.',
|
|
298
308
|
severity: 'critical',
|
|
309
|
+
levelId: 1,
|
|
299
310
|
category: 'injection',
|
|
300
311
|
scanner: 'ssti',
|
|
301
312
|
cvss: {
|
|
@@ -311,12 +322,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
311
322
|
],
|
|
312
323
|
remediation: 'Never render user input as Velocity templates. Configure SecureUberspector to block dangerous method calls. Use Velocity tools with restricted capabilities. Apply input validation.',
|
|
313
324
|
},
|
|
314
|
-
[
|
|
325
|
+
[VulnerabilityCode.SSTI_THYMELEAF]: {
|
|
315
326
|
id: 15,
|
|
316
|
-
code:
|
|
327
|
+
code: VulnerabilityCode.SSTI_THYMELEAF,
|
|
317
328
|
title: 'Server-Side Template Injection - Thymeleaf',
|
|
318
329
|
description: 'Critical server-side template injection vulnerability in Thymeleaf (Spring/Java) where user input is processed as template expressions, enabling remote code execution through SpEL (Spring Expression Language) injection in template attributes.',
|
|
319
330
|
severity: 'critical',
|
|
331
|
+
levelId: 1,
|
|
320
332
|
category: 'injection',
|
|
321
333
|
scanner: 'ssti',
|
|
322
334
|
cvss: {
|
|
@@ -332,12 +344,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
332
344
|
],
|
|
333
345
|
remediation: 'Never concatenate user input into template expressions. Use th:text for displaying user data. Configure SpringTemplateEngine to restrict expression capabilities.',
|
|
334
346
|
},
|
|
335
|
-
[
|
|
347
|
+
[VulnerabilityCode.SSTI_ERB]: {
|
|
336
348
|
id: 16,
|
|
337
|
-
code:
|
|
349
|
+
code: VulnerabilityCode.SSTI_ERB,
|
|
338
350
|
title: 'Server-Side Template Injection - ERB',
|
|
339
351
|
description: 'Critical server-side template injection vulnerability in ERB (Ruby on Rails) where user input is embedded in ERB templates and executed as Ruby code, enabling arbitrary system command execution and complete server compromise through Ruby runtime access.',
|
|
340
352
|
severity: 'critical',
|
|
353
|
+
levelId: 1,
|
|
341
354
|
category: 'injection',
|
|
342
355
|
scanner: 'ssti',
|
|
343
356
|
cvss: {
|
|
@@ -353,12 +366,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
353
366
|
],
|
|
354
367
|
remediation: 'Never pass user input to ERB.new(). Use Rails html_safe only after proper sanitization. Prefer logic-less templates. Implement strict input validation before any rendering.',
|
|
355
368
|
},
|
|
356
|
-
[
|
|
369
|
+
[VulnerabilityCode.SSTI_EJS]: {
|
|
357
370
|
id: 17,
|
|
358
|
-
code:
|
|
371
|
+
code: VulnerabilityCode.SSTI_EJS,
|
|
359
372
|
title: 'Server-Side Template Injection - EJS',
|
|
360
373
|
description: 'Critical server-side template injection vulnerability in EJS (Node.js) where user-controlled data is processed as template code, allowing arbitrary JavaScript execution on the server through embedded JavaScript expressions and access to Node.js runtime.',
|
|
361
374
|
severity: 'critical',
|
|
375
|
+
levelId: 1,
|
|
362
376
|
category: 'injection',
|
|
363
377
|
scanner: 'ssti',
|
|
364
378
|
cvss: {
|
|
@@ -374,12 +388,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
374
388
|
],
|
|
375
389
|
remediation: 'Never pass user input directly to ejs.render(). Use ejs.escape() for user data. Pass data through template locals only. Consider switching to logic-less templates like Handlebars.',
|
|
376
390
|
},
|
|
377
|
-
[
|
|
391
|
+
[VulnerabilityCode.SSTI_PUG]: {
|
|
378
392
|
id: 18,
|
|
379
|
-
code:
|
|
393
|
+
code: VulnerabilityCode.SSTI_PUG,
|
|
380
394
|
title: 'Server-Side Template Injection - Pug/Jade',
|
|
381
395
|
description: 'Critical server-side template injection vulnerability in Pug (formerly Jade, Node.js) where user input is interpreted as template syntax, enabling arbitrary JavaScript code execution through Pug embedded code blocks and access to server-side Node.js environment.',
|
|
382
396
|
severity: 'critical',
|
|
397
|
+
levelId: 1,
|
|
383
398
|
category: 'injection',
|
|
384
399
|
scanner: 'ssti',
|
|
385
400
|
cvss: {
|
|
@@ -395,12 +410,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
395
410
|
],
|
|
396
411
|
remediation: 'Never compile user input as Pug templates. Pass user data only through template locals. Avoid pug.compile() with user-controlled template strings. Use static templates only.',
|
|
397
412
|
},
|
|
398
|
-
[
|
|
413
|
+
[VulnerabilityCode.SSTI_SMARTY]: {
|
|
399
414
|
id: 19,
|
|
400
|
-
code:
|
|
415
|
+
code: VulnerabilityCode.SSTI_SMARTY,
|
|
401
416
|
title: 'Server-Side Template Injection - Smarty',
|
|
402
417
|
description: 'Critical server-side template injection vulnerability in Smarty (PHP) where user input is processed as template code, enabling arbitrary PHP code execution through Smarty tags and function calls that can lead to complete server compromise.',
|
|
403
418
|
severity: 'critical',
|
|
419
|
+
levelId: 1,
|
|
404
420
|
category: 'injection',
|
|
405
421
|
scanner: 'ssti',
|
|
406
422
|
cvss: {
|
|
@@ -416,12 +432,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
416
432
|
],
|
|
417
433
|
remediation: 'Enable Smarty security_policy to restrict allowed tags and modifiers. Never pass user input to template compilation. Disable {php} tags. Use Smarty 3+ with security features enabled.',
|
|
418
434
|
},
|
|
419
|
-
[
|
|
435
|
+
[VulnerabilityCode.SSTI_MAKO]: {
|
|
420
436
|
id: 20,
|
|
421
|
-
code:
|
|
437
|
+
code: VulnerabilityCode.SSTI_MAKO,
|
|
422
438
|
title: 'Server-Side Template Injection - Mako',
|
|
423
439
|
description: 'Critical server-side template injection vulnerability in Mako (Python) where user-controlled data is executed as template code, enabling arbitrary Python code execution through Mako expressions and full access to the Python runtime environment.',
|
|
424
440
|
severity: 'critical',
|
|
441
|
+
levelId: 1,
|
|
425
442
|
category: 'injection',
|
|
426
443
|
scanner: 'ssti',
|
|
427
444
|
cvss: {
|
|
@@ -440,12 +457,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
440
457
|
// ========================================
|
|
441
458
|
// XXE (XML EXTERNAL ENTITY) - Additional
|
|
442
459
|
// ========================================
|
|
443
|
-
[
|
|
460
|
+
[VulnerabilityCode.XXE_ERROR_BASED]: {
|
|
444
461
|
id: 21,
|
|
445
|
-
code:
|
|
462
|
+
code: VulnerabilityCode.XXE_ERROR_BASED,
|
|
446
463
|
title: 'XML External Entity Injection - Error Based',
|
|
447
464
|
description: 'Error-based XXE vulnerability where file contents can be extracted through parser error messages by crafting malformed external entities that include file data in error output, enabling data exfiltration even when direct output is not reflected.',
|
|
448
465
|
severity: 'high',
|
|
466
|
+
levelId: 2,
|
|
449
467
|
category: 'injection',
|
|
450
468
|
scanner: 'xxe',
|
|
451
469
|
cvss: {
|
|
@@ -461,12 +479,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
461
479
|
],
|
|
462
480
|
remediation: 'Disable DTD processing entirely in XML parser configuration. Suppress detailed error messages in production. Implement custom error handlers that do not expose file contents.',
|
|
463
481
|
},
|
|
464
|
-
[
|
|
482
|
+
[VulnerabilityCode.XXE_PARAMETER_ENTITY]: {
|
|
465
483
|
id: 22,
|
|
466
|
-
code:
|
|
484
|
+
code: VulnerabilityCode.XXE_PARAMETER_ENTITY,
|
|
467
485
|
title: 'XML External Entity Injection - Parameter Entity',
|
|
468
486
|
description: 'XXE vulnerability exploiting parameter entities in DTD declarations to exfiltrate data or perform SSRF attacks when regular external entities are blocked, by using percent-encoded entity references within the document type definition.',
|
|
469
487
|
severity: 'high',
|
|
488
|
+
levelId: 2,
|
|
470
489
|
category: 'injection',
|
|
471
490
|
scanner: 'xxe',
|
|
472
491
|
cvss: {
|
|
@@ -485,12 +504,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
485
504
|
// ========================================
|
|
486
505
|
// LOCAL FILE INCLUSION - Additional
|
|
487
506
|
// ========================================
|
|
488
|
-
[
|
|
507
|
+
[VulnerabilityCode.LFI_FILTER_BYPASS]: {
|
|
489
508
|
id: 23,
|
|
490
|
-
code:
|
|
509
|
+
code: VulnerabilityCode.LFI_FILTER_BYPASS,
|
|
491
510
|
title: 'Local File Inclusion - Filter Bypass',
|
|
492
511
|
description: 'Local file inclusion vulnerability that bypasses input validation filters through encoding tricks (URL encoding, double encoding, null bytes), alternate path separators, or case manipulation to access files despite security controls.',
|
|
493
512
|
severity: 'high',
|
|
513
|
+
levelId: 2,
|
|
494
514
|
category: 'file_inclusion',
|
|
495
515
|
scanner: 'local-file-inclusion',
|
|
496
516
|
cvss: {
|
|
@@ -506,12 +526,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
506
526
|
],
|
|
507
527
|
remediation: 'Use canonicalization after decoding before validation. Implement allowlist of permitted files instead of blocklist. Validate resolved paths are within expected directories.',
|
|
508
528
|
},
|
|
509
|
-
[
|
|
529
|
+
[VulnerabilityCode.LFI_PROC_DISCLOSURE]: {
|
|
510
530
|
id: 24,
|
|
511
|
-
code:
|
|
531
|
+
code: VulnerabilityCode.LFI_PROC_DISCLOSURE,
|
|
512
532
|
title: 'Local File Inclusion - Process Information Disclosure',
|
|
513
533
|
description: 'LFI vulnerability enabling access to /proc filesystem on Linux systems, exposing process memory maps, environment variables with credentials, command line arguments, and other runtime information that can reveal secrets and aid further attacks.',
|
|
514
534
|
severity: 'high',
|
|
535
|
+
levelId: 2,
|
|
515
536
|
category: 'file_inclusion',
|
|
516
537
|
scanner: 'local-file-inclusion',
|
|
517
538
|
cvss: {
|
|
@@ -530,12 +551,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
530
551
|
// ========================================
|
|
531
552
|
// XXE (XML EXTERNAL ENTITY)
|
|
532
553
|
// ========================================
|
|
533
|
-
[
|
|
554
|
+
[VulnerabilityCode.XXE_CLASSIC]: {
|
|
534
555
|
id: 25,
|
|
535
|
-
code:
|
|
556
|
+
code: VulnerabilityCode.XXE_CLASSIC,
|
|
536
557
|
title: 'XML External Entity Injection - Classic',
|
|
537
558
|
description: 'Classic XXE vulnerability where external XML entities are processed by the parser, allowing attackers to read local files like /etc/passwd or application configuration files by defining external entities that reference file:// protocol URIs in the XML document type definition.',
|
|
538
559
|
severity: 'high',
|
|
560
|
+
levelId: 2,
|
|
539
561
|
category: 'injection',
|
|
540
562
|
scanner: 'xxe',
|
|
541
563
|
cvss: {
|
|
@@ -551,12 +573,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
551
573
|
],
|
|
552
574
|
remediation: 'Disable DTD processing entirely. Disable external entity resolution in XML parser configuration. Use less complex data formats like JSON where possible. Validate and sanitize XML input.',
|
|
553
575
|
},
|
|
554
|
-
[
|
|
576
|
+
[VulnerabilityCode.XXE_BLIND]: {
|
|
555
577
|
id: 26,
|
|
556
|
-
code:
|
|
578
|
+
code: VulnerabilityCode.XXE_BLIND,
|
|
557
579
|
title: 'XML External Entity Injection - Blind',
|
|
558
580
|
description: 'Blind XXE vulnerability where external entities are processed but file contents are not directly returned in the response. Exploitation requires out-of-band techniques like error-based extraction or HTTP callbacks to exfiltrate data from the target server.',
|
|
559
581
|
severity: 'high',
|
|
582
|
+
levelId: 2,
|
|
560
583
|
category: 'injection',
|
|
561
584
|
scanner: 'xxe',
|
|
562
585
|
cvss: {
|
|
@@ -572,12 +595,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
572
595
|
],
|
|
573
596
|
remediation: 'Disable DTD and external entity processing in XML parser. Block outbound network connections from XML processing servers. Use JSON instead of XML where possible.',
|
|
574
597
|
},
|
|
575
|
-
[
|
|
598
|
+
[VulnerabilityCode.XXE_OOB]: {
|
|
576
599
|
id: 27,
|
|
577
|
-
code:
|
|
600
|
+
code: VulnerabilityCode.XXE_OOB,
|
|
578
601
|
title: 'XML External Entity Injection - Out-of-Band',
|
|
579
602
|
description: 'Critical out-of-band XXE vulnerability confirmed through external HTTP/DNS callbacks, proving the XML parser fetches external resources. This enables data exfiltration through URL parameters and server-side request forgery attacks against internal network resources.',
|
|
580
603
|
severity: 'critical',
|
|
604
|
+
levelId: 1,
|
|
581
605
|
category: 'injection',
|
|
582
606
|
scanner: 'xxe',
|
|
583
607
|
cvss: {
|
|
@@ -597,12 +621,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
597
621
|
// ========================================
|
|
598
622
|
// LOCAL FILE INCLUSION
|
|
599
623
|
// ========================================
|
|
600
|
-
[
|
|
624
|
+
[VulnerabilityCode.LFI_PATH_TRAVERSAL]: {
|
|
601
625
|
id: 28,
|
|
602
|
-
code:
|
|
626
|
+
code: VulnerabilityCode.LFI_PATH_TRAVERSAL,
|
|
603
627
|
title: 'Local File Inclusion - Path Traversal',
|
|
604
628
|
description: 'Path traversal vulnerability allowing attackers to read arbitrary files on the server by manipulating file path parameters with directory traversal sequences like ../ to escape the intended directory and access sensitive system or application configuration files.',
|
|
605
629
|
severity: 'high',
|
|
630
|
+
levelId: 2,
|
|
606
631
|
category: 'file_inclusion',
|
|
607
632
|
scanner: 'local-file-inclusion',
|
|
608
633
|
cvss: {
|
|
@@ -619,12 +644,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
619
644
|
],
|
|
620
645
|
remediation: 'Validate all file path inputs against an allowlist of permitted files. Canonicalize paths and verify they remain within expected directories. Use indirect file references instead of direct paths.',
|
|
621
646
|
},
|
|
622
|
-
[
|
|
647
|
+
[VulnerabilityCode.LFI_SOURCE_DISCLOSURE]: {
|
|
623
648
|
id: 29,
|
|
624
|
-
code:
|
|
649
|
+
code: VulnerabilityCode.LFI_SOURCE_DISCLOSURE,
|
|
625
650
|
title: 'Local File Inclusion - Source Code Disclosure',
|
|
626
651
|
description: 'Critical source code disclosure vulnerability where application source files can be read through file inclusion, exposing proprietary code, hardcoded credentials, API keys, database connection strings, and security implementation details that facilitate further attacks.',
|
|
627
652
|
severity: 'high',
|
|
653
|
+
levelId: 2,
|
|
628
654
|
category: 'file_inclusion',
|
|
629
655
|
scanner: 'local-file-inclusion',
|
|
630
656
|
cvss: {
|
|
@@ -641,12 +667,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
641
667
|
],
|
|
642
668
|
remediation: 'Use allowlist validation for file access. Store source files outside web root. Implement proper access controls on file reading functionality. Remove any debug endpoints that read files.',
|
|
643
669
|
},
|
|
644
|
-
[
|
|
670
|
+
[VulnerabilityCode.LFI_WRAPPER_PROTOCOL]: {
|
|
645
671
|
id: 30,
|
|
646
|
-
code:
|
|
672
|
+
code: VulnerabilityCode.LFI_WRAPPER_PROTOCOL,
|
|
647
673
|
title: 'Local File Inclusion - PHP Wrapper Protocol',
|
|
648
674
|
description: 'PHP wrapper protocol exploitation where filter or data wrappers like php://filter or php://input can be used to read source files as base64, write arbitrary files, or achieve remote code execution through deserialization when phar:// wrapper is enabled.',
|
|
649
675
|
severity: 'critical',
|
|
676
|
+
levelId: 1,
|
|
650
677
|
category: 'file_inclusion',
|
|
651
678
|
scanner: 'local-file-inclusion',
|
|
652
679
|
cvss: {
|
|
@@ -662,12 +689,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
662
689
|
],
|
|
663
690
|
remediation: 'Disable allow_url_include and allow_url_fopen in PHP configuration. Filter and validate all file path inputs. Block protocol wrappers in user input. Use allowlist for file access.',
|
|
664
691
|
},
|
|
665
|
-
[
|
|
692
|
+
[VulnerabilityCode.XPATH_AUTH_BYPASS]: {
|
|
666
693
|
id: 136,
|
|
667
|
-
code:
|
|
694
|
+
code: VulnerabilityCode.XPATH_AUTH_BYPASS,
|
|
668
695
|
title: 'XPath Injection - Authentication Bypass',
|
|
669
696
|
description: 'XPath injection vulnerability where crafted input manipulates XPath queries to bypass authentication or authorization checks, allowing attackers to log in as other users or access protected resources without valid credentials.',
|
|
670
697
|
severity: 'high',
|
|
698
|
+
levelId: 2,
|
|
671
699
|
category: 'injection',
|
|
672
700
|
scanner: 'xpath-injection',
|
|
673
701
|
cvss: {
|
|
@@ -683,12 +711,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
683
711
|
],
|
|
684
712
|
remediation: 'Use parameterized XPath queries or safe APIs that separate data from query logic. Validate and constrain user input for XPath contexts. Use allowlists and avoid dynamic XPath string concatenation.',
|
|
685
713
|
},
|
|
686
|
-
[
|
|
714
|
+
[VulnerabilityCode.XPATH_DATA_EXTRACTION]: {
|
|
687
715
|
id: 137,
|
|
688
|
-
code:
|
|
716
|
+
code: VulnerabilityCode.XPATH_DATA_EXTRACTION,
|
|
689
717
|
title: 'XPath Injection - Data Extraction',
|
|
690
718
|
description: 'XPath injection vulnerability that allows attackers to read or enumerate sensitive XML data by manipulating query predicates, leading to disclosure of user data, configuration, or credentials stored in XML-backed systems.',
|
|
691
719
|
severity: 'high',
|
|
720
|
+
levelId: 2,
|
|
692
721
|
category: 'injection',
|
|
693
722
|
scanner: 'xpath-injection',
|
|
694
723
|
cvss: {
|
|
@@ -704,12 +733,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
704
733
|
],
|
|
705
734
|
remediation: 'Use safe XPath APIs with variables/bind parameters. Apply strict input validation and encoding for XPath contexts. Restrict accessible XML data and apply least-privilege access controls.',
|
|
706
735
|
},
|
|
707
|
-
[
|
|
736
|
+
[VulnerabilityCode.XPATH_BLIND]: {
|
|
708
737
|
id: 138,
|
|
709
|
-
code:
|
|
738
|
+
code: VulnerabilityCode.XPATH_BLIND,
|
|
710
739
|
title: 'XPath Injection - Blind',
|
|
711
740
|
description: 'Blind XPath injection vulnerability where attackers infer query results through boolean or timing differences, enabling gradual extraction of sensitive XML data despite no direct response output.',
|
|
712
741
|
severity: 'medium',
|
|
742
|
+
levelId: 3,
|
|
713
743
|
category: 'injection',
|
|
714
744
|
scanner: 'xpath-injection',
|
|
715
745
|
cvss: {
|
|
@@ -725,12 +755,13 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
725
755
|
],
|
|
726
756
|
remediation: 'Use parameterized XPath queries and input validation. Normalize error and response behaviors to reduce side-channel differences. Apply rate limiting to limit inference attacks.',
|
|
727
757
|
},
|
|
728
|
-
[
|
|
758
|
+
[VulnerabilityCode.XPATH_ERROR_BASED]: {
|
|
729
759
|
id: 139,
|
|
730
|
-
code:
|
|
760
|
+
code: VulnerabilityCode.XPATH_ERROR_BASED,
|
|
731
761
|
title: 'XPath Injection - Error Based',
|
|
732
762
|
description: 'XPath injection vulnerability where malformed input triggers verbose error messages that reveal query structure or XML data, enabling attackers to craft precise XPath exploits or extract sensitive information.',
|
|
733
763
|
severity: 'medium',
|
|
764
|
+
levelId: 3,
|
|
734
765
|
category: 'injection',
|
|
735
766
|
scanner: 'xpath-injection',
|
|
736
767
|
cvss: {
|
|
@@ -747,4 +778,4 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
747
778
|
remediation: 'Suppress detailed XPath error messages in production. Use safe XPath APIs and validation to prevent injection. Implement centralized error handling with generic responses.',
|
|
748
779
|
},
|
|
749
780
|
};
|
|
750
|
-
|
|
781
|
+
export default INJECTION_VULNERABILITIES;
|