@zerothreatai/vulnerability-registry 3.0.0 → 5.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/categories/authentication.js +34 -17
- package/dist/categories/configuration.js +561 -60
- package/dist/categories/injection.js +68 -34
- package/dist/categories/sensitive-paths.js +168 -84
- package/dist/categories/ssrf.js +22 -11
- package/dist/categories/xss.js +30 -15
- package/dist/category.d.ts +6 -0
- package/dist/category.js +15 -0
- package/dist/error-codes.d.ts +20 -0
- package/dist/error-codes.js +20 -0
- package/dist/index.d.ts +9 -1
- package/dist/index.js +5 -1
- package/dist/scanner.d.ts +6 -0
- package/dist/scanner.js +22 -0
- package/dist/types.d.ts +2 -0
- package/dist-cjs/categories/authentication.js +34 -17
- package/dist-cjs/categories/configuration.js +561 -60
- package/dist-cjs/categories/injection.js +68 -34
- package/dist-cjs/categories/sensitive-paths.js +168 -84
- package/dist-cjs/categories/ssrf.js +22 -11
- package/dist-cjs/categories/xss.js +30 -15
- package/dist-cjs/category.js +18 -0
- package/dist-cjs/error-codes.js +20 -0
- package/dist-cjs/index.js +7 -1
- package/dist-cjs/scanner.js +25 -0
- package/package.json +35 -32
- package/scripts/assign-ids.ts +105 -0
- package/scripts/check-duplicate-ids.ts +45 -0
- package/src/categories/authentication.ts +145 -128
- package/src/categories/configuration.ts +1632 -1111
- package/src/categories/injection.ts +158 -124
- package/src/categories/sensitive-paths.ts +168 -84
- package/src/categories/ssrf.ts +22 -11
- package/src/categories/xss.ts +30 -15
- package/src/category.ts +16 -0
- package/src/error-codes.ts +25 -5
- package/src/id-registry.json +1235 -0
- package/src/index.ts +20 -14
- package/src/scanner.ts +23 -0
- package/src/types.ts +4 -2
- package/zerothreatai-vulnerability-registry-4npm .0.0.tgz +0 -0
- package/src/categories/authentication.d.ts +0 -8
- package/src/categories/authentication.d.ts.map +0 -1
- package/src/categories/authentication.js +0 -378
- package/src/categories/authentication.js.map +0 -1
- package/src/categories/configuration.d.ts +0 -8
- package/src/categories/configuration.d.ts.map +0 -1
- package/src/categories/configuration.js +0 -906
- package/src/categories/configuration.js.map +0 -1
- package/src/categories/injection.d.ts +0 -8
- package/src/categories/injection.d.ts.map +0 -1
- package/src/categories/injection.js +0 -750
- package/src/categories/injection.js.map +0 -1
- package/src/categories/sensitive-paths.d.ts +0 -9
- package/src/categories/sensitive-paths.d.ts.map +0 -1
- package/src/categories/sensitive-paths.js +0 -1791
- package/src/categories/sensitive-paths.js.map +0 -1
- package/src/categories/ssrf.d.ts +0 -8
- package/src/categories/ssrf.d.ts.map +0 -1
- package/src/categories/ssrf.js +0 -250
- package/src/categories/ssrf.js.map +0 -1
- package/src/categories/xss.d.ts +0 -7
- package/src/categories/xss.d.ts.map +0 -1
- package/src/categories/xss.js +0 -328
- package/src/categories/xss.js.map +0 -1
- package/src/error-codes.d.ts +0 -242
- package/src/error-codes.d.ts.map +0 -1
- package/src/error-codes.js +0 -315
- package/src/error-codes.js.map +0 -1
- package/src/index.d.ts +0 -60
- package/src/index.d.ts.map +0 -1
- package/src/index.js +0 -107
- package/src/index.js.map +0 -1
- package/src/types.d.ts +0 -86
- package/src/types.d.ts.map +0 -1
- package/src/types.js +0 -7
- package/src/types.js.map +0 -1
|
@@ -9,11 +9,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
9
9
|
// SQL INJECTION
|
|
10
10
|
// ========================================
|
|
11
11
|
[VulnerabilityCode.SQLI_ERROR_BASED]: {
|
|
12
|
-
id:
|
|
12
|
+
id: 300,
|
|
13
13
|
code: VulnerabilityCode.SQLI_ERROR_BASED,
|
|
14
14
|
title: 'SQL Injection - Error Based',
|
|
15
15
|
description: 'Error-based SQL injection vulnerability detected where database error messages are reflected in the application response, allowing attackers to extract sensitive data from the database by manipulating SQL queries and analyzing error output.',
|
|
16
16
|
severity: 'high',
|
|
17
|
+
levelId: 2,
|
|
17
18
|
category: 'injection',
|
|
18
19
|
scanner: 'sql-injection',
|
|
19
20
|
cvss: {
|
|
@@ -30,11 +31,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
30
31
|
remediation: 'Use parameterized queries or prepared statements. Implement input validation and sanitization. Use stored procedures with parameterized inputs. Apply principle of least privilege to database accounts.',
|
|
31
32
|
},
|
|
32
33
|
[VulnerabilityCode.SQLI_BOOLEAN_BASED]: {
|
|
33
|
-
id:
|
|
34
|
+
id: 301,
|
|
34
35
|
code: VulnerabilityCode.SQLI_BOOLEAN_BASED,
|
|
35
36
|
title: 'SQL Injection - Boolean Based Blind',
|
|
36
37
|
description: 'Boolean-based blind SQL injection vulnerability where the application responds differently based on whether injected conditions evaluate to true or false, enabling attackers to infer database contents one bit at a time through systematic query manipulation.',
|
|
37
38
|
severity: 'high',
|
|
39
|
+
levelId: 2,
|
|
38
40
|
category: 'injection',
|
|
39
41
|
scanner: 'sql-injection',
|
|
40
42
|
cvss: {
|
|
@@ -51,11 +53,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
51
53
|
remediation: 'Use parameterized queries or prepared statements. Implement consistent error handling that does not reveal query success/failure. Apply input validation and output encoding.',
|
|
52
54
|
},
|
|
53
55
|
[VulnerabilityCode.SQLI_TIME_BASED]: {
|
|
54
|
-
id:
|
|
56
|
+
id: 302,
|
|
55
57
|
code: VulnerabilityCode.SQLI_TIME_BASED,
|
|
56
58
|
title: 'SQL Injection - Time Based Blind',
|
|
57
59
|
description: 'Time-based blind SQL injection vulnerability where attackers can infer database contents by measuring response time differences caused by injected time delay functions like SLEEP() or WAITFOR, enabling complete database extraction through timing analysis.',
|
|
58
60
|
severity: 'high',
|
|
61
|
+
levelId: 2,
|
|
59
62
|
category: 'injection',
|
|
60
63
|
scanner: 'sql-injection',
|
|
61
64
|
cvss: {
|
|
@@ -72,11 +75,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
72
75
|
remediation: 'Use parameterized queries or prepared statements. Implement query timeout limits. Apply input validation and sanitization. Monitor for abnormally slow queries.',
|
|
73
76
|
},
|
|
74
77
|
[VulnerabilityCode.SQLI_STACK_BASED]: {
|
|
75
|
-
id:
|
|
78
|
+
id: 303,
|
|
76
79
|
code: VulnerabilityCode.SQLI_STACK_BASED,
|
|
77
80
|
title: 'SQL Injection - Stacked Queries',
|
|
78
81
|
description: 'Critical stacked queries SQL injection vulnerability allowing attackers to execute multiple SQL statements in a single query, enabling destructive operations like DROP TABLE, INSERT into admin tables, or creating backdoor accounts with full database control.',
|
|
79
82
|
severity: 'critical',
|
|
83
|
+
levelId: 1,
|
|
80
84
|
category: 'injection',
|
|
81
85
|
scanner: 'sql-injection',
|
|
82
86
|
cvss: {
|
|
@@ -93,11 +97,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
93
97
|
remediation: 'Use parameterized queries exclusively. Disable multi-statement execution in database drivers. Implement strict input validation. Apply least privilege database permissions and prevent DDL execution.',
|
|
94
98
|
},
|
|
95
99
|
[VulnerabilityCode.SQLI_UNION_BASED]: {
|
|
96
|
-
id:
|
|
100
|
+
id: 304,
|
|
97
101
|
code: VulnerabilityCode.SQLI_UNION_BASED,
|
|
98
102
|
title: 'SQL Injection - UNION Based',
|
|
99
103
|
description: 'UNION-based SQL injection vulnerability allowing attackers to append additional SELECT queries using UNION operator, enabling direct extraction of data from other database tables including user credentials, personal information, and sensitive business data.',
|
|
100
104
|
severity: 'high',
|
|
105
|
+
levelId: 2,
|
|
101
106
|
category: 'injection',
|
|
102
107
|
scanner: 'sql-injection',
|
|
103
108
|
cvss: {
|
|
@@ -117,11 +122,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
117
122
|
// COMMAND INJECTION
|
|
118
123
|
// ========================================
|
|
119
124
|
[VulnerabilityCode.CMDI_OOB_CONFIRMED]: {
|
|
120
|
-
id:
|
|
125
|
+
id: 305,
|
|
121
126
|
code: VulnerabilityCode.CMDI_OOB_CONFIRMED,
|
|
122
127
|
title: 'OS Command Injection - OOB Confirmed',
|
|
123
128
|
description: 'Critical OS command injection vulnerability confirmed through out-of-band callback detection, proving that attacker-controlled shell commands are being executed on the server operating system with full access to system resources and potential for complete server compromise.',
|
|
124
129
|
severity: 'critical',
|
|
130
|
+
levelId: 1,
|
|
125
131
|
category: 'injection',
|
|
126
132
|
scanner: 'command-injection',
|
|
127
133
|
cvss: {
|
|
@@ -138,11 +144,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
138
144
|
remediation: 'Avoid system calls with user input entirely. Use language-specific APIs instead of shell commands. Implement strict input validation with allowlists. Run applications with minimal OS privileges in sandboxed environments.',
|
|
139
145
|
},
|
|
140
146
|
[VulnerabilityCode.CMDI_REFLECTED]: {
|
|
141
|
-
id:
|
|
147
|
+
id: 306,
|
|
142
148
|
code: VulnerabilityCode.CMDI_REFLECTED,
|
|
143
149
|
title: 'OS Command Injection - Reflected Output',
|
|
144
150
|
description: 'OS command injection vulnerability confirmed by command output being reflected in the application response, indicating that shell commands execute on the server and their results are returned to the attacker for data exfiltration and system reconnaissance.',
|
|
145
151
|
severity: 'critical',
|
|
152
|
+
levelId: 1,
|
|
146
153
|
category: 'injection',
|
|
147
154
|
scanner: 'command-injection',
|
|
148
155
|
cvss: {
|
|
@@ -159,11 +166,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
159
166
|
remediation: 'Replace shell command execution with native language APIs. Implement strict input validation using allowlists. Escape shell metacharacters if commands are unavoidable. Sandbox application execution environments.',
|
|
160
167
|
},
|
|
161
168
|
[VulnerabilityCode.CMDI_TIME_BASED]: {
|
|
162
|
-
id:
|
|
169
|
+
id: 307,
|
|
163
170
|
code: VulnerabilityCode.CMDI_TIME_BASED,
|
|
164
171
|
title: 'OS Command Injection - Time Based',
|
|
165
172
|
description: 'Time-based OS command injection vulnerability detected through measurable response time delays caused by injected sleep or ping commands, strongly indicating that shell commands execute on the server even though output is not directly visible in responses.',
|
|
166
173
|
severity: 'high',
|
|
174
|
+
levelId: 2,
|
|
167
175
|
category: 'injection',
|
|
168
176
|
scanner: 'command-injection',
|
|
169
177
|
cvss: {
|
|
@@ -180,11 +188,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
180
188
|
remediation: 'Avoid executing system commands with user input. Use native APIs for required functionality. Implement strict input validation. Set command execution timeouts and monitor for anomalous delays.',
|
|
181
189
|
},
|
|
182
190
|
[VulnerabilityCode.CMDI_ERROR_BASED]: {
|
|
183
|
-
id:
|
|
191
|
+
id: 308,
|
|
184
192
|
code: VulnerabilityCode.CMDI_ERROR_BASED,
|
|
185
193
|
title: 'OS Command Injection - Error Based',
|
|
186
194
|
description: 'Potential OS command injection vulnerability indicated by distinctive error messages or system-level exceptions in the application response when malformed shell payloads are submitted, suggesting command execution attempts reach the operating system interpreter.',
|
|
187
195
|
severity: 'medium',
|
|
196
|
+
levelId: 3,
|
|
188
197
|
category: 'injection',
|
|
189
198
|
scanner: 'command-injection',
|
|
190
199
|
cvss: {
|
|
@@ -204,11 +213,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
204
213
|
// SERVER-SIDE TEMPLATE INJECTION
|
|
205
214
|
// ========================================
|
|
206
215
|
[VulnerabilityCode.SSTI_JINJA2]: {
|
|
207
|
-
id:
|
|
216
|
+
id: 309,
|
|
208
217
|
code: VulnerabilityCode.SSTI_JINJA2,
|
|
209
218
|
title: 'Server-Side Template Injection - Jinja2',
|
|
210
219
|
description: 'Critical server-side template injection vulnerability in Jinja2 (Python/Flask) where user input is processed as template code, enabling attackers to execute arbitrary Python code on the server through template expressions like {{config}} or {{request.application.__globals__}}.',
|
|
211
220
|
severity: 'critical',
|
|
221
|
+
levelId: 1,
|
|
212
222
|
category: 'injection',
|
|
213
223
|
scanner: 'ssti',
|
|
214
224
|
cvss: {
|
|
@@ -225,11 +235,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
225
235
|
remediation: 'Never pass user input directly to template rendering. Use sandboxed template environments with restricted builtins. Prefer logic-less templates like Mustache. Implement strict input validation before template processing.',
|
|
226
236
|
},
|
|
227
237
|
[VulnerabilityCode.SSTI_TWIG]: {
|
|
228
|
-
id:
|
|
238
|
+
id: 310,
|
|
229
239
|
code: VulnerabilityCode.SSTI_TWIG,
|
|
230
240
|
title: 'Server-Side Template Injection - Twig',
|
|
231
241
|
description: 'Critical server-side template injection vulnerability in Twig (PHP/Symfony) where user input is evaluated as template expressions, allowing attackers to execute arbitrary PHP code on the server through filter chains and object method invocations within template syntax.',
|
|
232
242
|
severity: 'critical',
|
|
243
|
+
levelId: 1,
|
|
233
244
|
category: 'injection',
|
|
234
245
|
scanner: 'ssti',
|
|
235
246
|
cvss: {
|
|
@@ -246,11 +257,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
246
257
|
remediation: 'Avoid rendering user input as templates. Use Twig sandbox mode with whitelisted tags, filters, and functions. Upgrade to latest Twig version with security patches. Validate and sanitize all inputs.',
|
|
247
258
|
},
|
|
248
259
|
[VulnerabilityCode.SSTI_FREEMARKER]: {
|
|
249
|
-
id:
|
|
260
|
+
id: 311,
|
|
250
261
|
code: VulnerabilityCode.SSTI_FREEMARKER,
|
|
251
262
|
title: 'Server-Side Template Injection - FreeMarker',
|
|
252
263
|
description: 'Critical server-side template injection vulnerability in FreeMarker (Java) where user-controlled data is interpreted as template directives, enabling remote code execution through Java class instantiation and method invocation via FreeMarker built-in expressions.',
|
|
253
264
|
severity: 'critical',
|
|
265
|
+
levelId: 1,
|
|
254
266
|
category: 'injection',
|
|
255
267
|
scanner: 'ssti',
|
|
256
268
|
cvss: {
|
|
@@ -267,11 +279,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
267
279
|
remediation: 'Never interpolate user input into templates. Configure FreeMarker with restricted class resolver. Disable new() built-in and api built-ins. Use template configuration to restrict available classes.',
|
|
268
280
|
},
|
|
269
281
|
[VulnerabilityCode.SSTI_GENERIC]: {
|
|
270
|
-
id:
|
|
282
|
+
id: 312,
|
|
271
283
|
code: VulnerabilityCode.SSTI_GENERIC,
|
|
272
284
|
title: 'Server-Side Template Injection - Generic',
|
|
273
285
|
description: 'Server-side template injection vulnerability detected where user input is being processed by a template engine, potentially allowing code execution. The specific template engine could not be determined, but mathematical expression evaluation confirms server-side processing of user input.',
|
|
274
286
|
severity: 'high',
|
|
287
|
+
levelId: 2,
|
|
275
288
|
category: 'injection',
|
|
276
289
|
scanner: 'ssti',
|
|
277
290
|
cvss: {
|
|
@@ -288,11 +301,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
288
301
|
remediation: 'Identify the template engine in use and apply engine-specific mitigations. Never pass user input to template rendering. Use sandboxed template environments. Implement strict input validation.',
|
|
289
302
|
},
|
|
290
303
|
[VulnerabilityCode.SSTI_VELOCITY]: {
|
|
291
|
-
id:
|
|
304
|
+
id: 313,
|
|
292
305
|
code: VulnerabilityCode.SSTI_VELOCITY,
|
|
293
306
|
title: 'Server-Side Template Injection - Velocity',
|
|
294
307
|
description: 'Critical server-side template injection vulnerability in Apache Velocity (Java) where user-controlled data is processed as template directives, enabling arbitrary Java code execution through Velocity Template Language expressions and class instantiation.',
|
|
295
308
|
severity: 'critical',
|
|
309
|
+
levelId: 1,
|
|
296
310
|
category: 'injection',
|
|
297
311
|
scanner: 'ssti',
|
|
298
312
|
cvss: {
|
|
@@ -309,11 +323,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
309
323
|
remediation: 'Never render user input as Velocity templates. Configure SecureUberspector to block dangerous method calls. Use Velocity tools with restricted capabilities. Apply input validation.',
|
|
310
324
|
},
|
|
311
325
|
[VulnerabilityCode.SSTI_THYMELEAF]: {
|
|
312
|
-
id:
|
|
326
|
+
id: 314,
|
|
313
327
|
code: VulnerabilityCode.SSTI_THYMELEAF,
|
|
314
328
|
title: 'Server-Side Template Injection - Thymeleaf',
|
|
315
329
|
description: 'Critical server-side template injection vulnerability in Thymeleaf (Spring/Java) where user input is processed as template expressions, enabling remote code execution through SpEL (Spring Expression Language) injection in template attributes.',
|
|
316
330
|
severity: 'critical',
|
|
331
|
+
levelId: 1,
|
|
317
332
|
category: 'injection',
|
|
318
333
|
scanner: 'ssti',
|
|
319
334
|
cvss: {
|
|
@@ -330,11 +345,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
330
345
|
remediation: 'Never concatenate user input into template expressions. Use th:text for displaying user data. Configure SpringTemplateEngine to restrict expression capabilities.',
|
|
331
346
|
},
|
|
332
347
|
[VulnerabilityCode.SSTI_ERB]: {
|
|
333
|
-
id:
|
|
348
|
+
id: 315,
|
|
334
349
|
code: VulnerabilityCode.SSTI_ERB,
|
|
335
350
|
title: 'Server-Side Template Injection - ERB',
|
|
336
351
|
description: 'Critical server-side template injection vulnerability in ERB (Ruby on Rails) where user input is embedded in ERB templates and executed as Ruby code, enabling arbitrary system command execution and complete server compromise through Ruby runtime access.',
|
|
337
352
|
severity: 'critical',
|
|
353
|
+
levelId: 1,
|
|
338
354
|
category: 'injection',
|
|
339
355
|
scanner: 'ssti',
|
|
340
356
|
cvss: {
|
|
@@ -351,11 +367,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
351
367
|
remediation: 'Never pass user input to ERB.new(). Use Rails html_safe only after proper sanitization. Prefer logic-less templates. Implement strict input validation before any rendering.',
|
|
352
368
|
},
|
|
353
369
|
[VulnerabilityCode.SSTI_EJS]: {
|
|
354
|
-
id:
|
|
370
|
+
id: 316,
|
|
355
371
|
code: VulnerabilityCode.SSTI_EJS,
|
|
356
372
|
title: 'Server-Side Template Injection - EJS',
|
|
357
373
|
description: 'Critical server-side template injection vulnerability in EJS (Node.js) where user-controlled data is processed as template code, allowing arbitrary JavaScript execution on the server through embedded JavaScript expressions and access to Node.js runtime.',
|
|
358
374
|
severity: 'critical',
|
|
375
|
+
levelId: 1,
|
|
359
376
|
category: 'injection',
|
|
360
377
|
scanner: 'ssti',
|
|
361
378
|
cvss: {
|
|
@@ -372,11 +389,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
372
389
|
remediation: 'Never pass user input directly to ejs.render(). Use ejs.escape() for user data. Pass data through template locals only. Consider switching to logic-less templates like Handlebars.',
|
|
373
390
|
},
|
|
374
391
|
[VulnerabilityCode.SSTI_PUG]: {
|
|
375
|
-
id:
|
|
392
|
+
id: 317,
|
|
376
393
|
code: VulnerabilityCode.SSTI_PUG,
|
|
377
394
|
title: 'Server-Side Template Injection - Pug/Jade',
|
|
378
395
|
description: 'Critical server-side template injection vulnerability in Pug (formerly Jade, Node.js) where user input is interpreted as template syntax, enabling arbitrary JavaScript code execution through Pug embedded code blocks and access to server-side Node.js environment.',
|
|
379
396
|
severity: 'critical',
|
|
397
|
+
levelId: 1,
|
|
380
398
|
category: 'injection',
|
|
381
399
|
scanner: 'ssti',
|
|
382
400
|
cvss: {
|
|
@@ -393,11 +411,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
393
411
|
remediation: 'Never compile user input as Pug templates. Pass user data only through template locals. Avoid pug.compile() with user-controlled template strings. Use static templates only.',
|
|
394
412
|
},
|
|
395
413
|
[VulnerabilityCode.SSTI_SMARTY]: {
|
|
396
|
-
id:
|
|
414
|
+
id: 318,
|
|
397
415
|
code: VulnerabilityCode.SSTI_SMARTY,
|
|
398
416
|
title: 'Server-Side Template Injection - Smarty',
|
|
399
417
|
description: 'Critical server-side template injection vulnerability in Smarty (PHP) where user input is processed as template code, enabling arbitrary PHP code execution through Smarty tags and function calls that can lead to complete server compromise.',
|
|
400
418
|
severity: 'critical',
|
|
419
|
+
levelId: 1,
|
|
401
420
|
category: 'injection',
|
|
402
421
|
scanner: 'ssti',
|
|
403
422
|
cvss: {
|
|
@@ -414,11 +433,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
414
433
|
remediation: 'Enable Smarty security_policy to restrict allowed tags and modifiers. Never pass user input to template compilation. Disable {php} tags. Use Smarty 3+ with security features enabled.',
|
|
415
434
|
},
|
|
416
435
|
[VulnerabilityCode.SSTI_MAKO]: {
|
|
417
|
-
id:
|
|
436
|
+
id: 319,
|
|
418
437
|
code: VulnerabilityCode.SSTI_MAKO,
|
|
419
438
|
title: 'Server-Side Template Injection - Mako',
|
|
420
439
|
description: 'Critical server-side template injection vulnerability in Mako (Python) where user-controlled data is executed as template code, enabling arbitrary Python code execution through Mako expressions and full access to the Python runtime environment.',
|
|
421
440
|
severity: 'critical',
|
|
441
|
+
levelId: 1,
|
|
422
442
|
category: 'injection',
|
|
423
443
|
scanner: 'ssti',
|
|
424
444
|
cvss: {
|
|
@@ -438,11 +458,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
438
458
|
// XXE (XML EXTERNAL ENTITY) - Additional
|
|
439
459
|
// ========================================
|
|
440
460
|
[VulnerabilityCode.XXE_ERROR_BASED]: {
|
|
441
|
-
id:
|
|
461
|
+
id: 320,
|
|
442
462
|
code: VulnerabilityCode.XXE_ERROR_BASED,
|
|
443
463
|
title: 'XML External Entity Injection - Error Based',
|
|
444
464
|
description: 'Error-based XXE vulnerability where file contents can be extracted through parser error messages by crafting malformed external entities that include file data in error output, enabling data exfiltration even when direct output is not reflected.',
|
|
445
465
|
severity: 'high',
|
|
466
|
+
levelId: 2,
|
|
446
467
|
category: 'injection',
|
|
447
468
|
scanner: 'xxe',
|
|
448
469
|
cvss: {
|
|
@@ -459,11 +480,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
459
480
|
remediation: 'Disable DTD processing entirely in XML parser configuration. Suppress detailed error messages in production. Implement custom error handlers that do not expose file contents.',
|
|
460
481
|
},
|
|
461
482
|
[VulnerabilityCode.XXE_PARAMETER_ENTITY]: {
|
|
462
|
-
id:
|
|
483
|
+
id: 321,
|
|
463
484
|
code: VulnerabilityCode.XXE_PARAMETER_ENTITY,
|
|
464
485
|
title: 'XML External Entity Injection - Parameter Entity',
|
|
465
486
|
description: 'XXE vulnerability exploiting parameter entities in DTD declarations to exfiltrate data or perform SSRF attacks when regular external entities are blocked, by using percent-encoded entity references within the document type definition.',
|
|
466
487
|
severity: 'high',
|
|
488
|
+
levelId: 2,
|
|
467
489
|
category: 'injection',
|
|
468
490
|
scanner: 'xxe',
|
|
469
491
|
cvss: {
|
|
@@ -483,11 +505,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
483
505
|
// LOCAL FILE INCLUSION - Additional
|
|
484
506
|
// ========================================
|
|
485
507
|
[VulnerabilityCode.LFI_FILTER_BYPASS]: {
|
|
486
|
-
id:
|
|
508
|
+
id: 322,
|
|
487
509
|
code: VulnerabilityCode.LFI_FILTER_BYPASS,
|
|
488
510
|
title: 'Local File Inclusion - Filter Bypass',
|
|
489
511
|
description: 'Local file inclusion vulnerability that bypasses input validation filters through encoding tricks (URL encoding, double encoding, null bytes), alternate path separators, or case manipulation to access files despite security controls.',
|
|
490
512
|
severity: 'high',
|
|
513
|
+
levelId: 2,
|
|
491
514
|
category: 'file_inclusion',
|
|
492
515
|
scanner: 'local-file-inclusion',
|
|
493
516
|
cvss: {
|
|
@@ -504,11 +527,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
504
527
|
remediation: 'Use canonicalization after decoding before validation. Implement allowlist of permitted files instead of blocklist. Validate resolved paths are within expected directories.',
|
|
505
528
|
},
|
|
506
529
|
[VulnerabilityCode.LFI_PROC_DISCLOSURE]: {
|
|
507
|
-
id:
|
|
530
|
+
id: 323,
|
|
508
531
|
code: VulnerabilityCode.LFI_PROC_DISCLOSURE,
|
|
509
532
|
title: 'Local File Inclusion - Process Information Disclosure',
|
|
510
533
|
description: 'LFI vulnerability enabling access to /proc filesystem on Linux systems, exposing process memory maps, environment variables with credentials, command line arguments, and other runtime information that can reveal secrets and aid further attacks.',
|
|
511
534
|
severity: 'high',
|
|
535
|
+
levelId: 2,
|
|
512
536
|
category: 'file_inclusion',
|
|
513
537
|
scanner: 'local-file-inclusion',
|
|
514
538
|
cvss: {
|
|
@@ -528,11 +552,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
528
552
|
// XXE (XML EXTERNAL ENTITY)
|
|
529
553
|
// ========================================
|
|
530
554
|
[VulnerabilityCode.XXE_CLASSIC]: {
|
|
531
|
-
id:
|
|
555
|
+
id: 324,
|
|
532
556
|
code: VulnerabilityCode.XXE_CLASSIC,
|
|
533
557
|
title: 'XML External Entity Injection - Classic',
|
|
534
558
|
description: 'Classic XXE vulnerability where external XML entities are processed by the parser, allowing attackers to read local files like /etc/passwd or application configuration files by defining external entities that reference file:// protocol URIs in the XML document type definition.',
|
|
535
559
|
severity: 'high',
|
|
560
|
+
levelId: 2,
|
|
536
561
|
category: 'injection',
|
|
537
562
|
scanner: 'xxe',
|
|
538
563
|
cvss: {
|
|
@@ -549,11 +574,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
549
574
|
remediation: 'Disable DTD processing entirely. Disable external entity resolution in XML parser configuration. Use less complex data formats like JSON where possible. Validate and sanitize XML input.',
|
|
550
575
|
},
|
|
551
576
|
[VulnerabilityCode.XXE_BLIND]: {
|
|
552
|
-
id:
|
|
577
|
+
id: 325,
|
|
553
578
|
code: VulnerabilityCode.XXE_BLIND,
|
|
554
579
|
title: 'XML External Entity Injection - Blind',
|
|
555
580
|
description: 'Blind XXE vulnerability where external entities are processed but file contents are not directly returned in the response. Exploitation requires out-of-band techniques like error-based extraction or HTTP callbacks to exfiltrate data from the target server.',
|
|
556
581
|
severity: 'high',
|
|
582
|
+
levelId: 2,
|
|
557
583
|
category: 'injection',
|
|
558
584
|
scanner: 'xxe',
|
|
559
585
|
cvss: {
|
|
@@ -570,11 +596,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
570
596
|
remediation: 'Disable DTD and external entity processing in XML parser. Block outbound network connections from XML processing servers. Use JSON instead of XML where possible.',
|
|
571
597
|
},
|
|
572
598
|
[VulnerabilityCode.XXE_OOB]: {
|
|
573
|
-
id:
|
|
599
|
+
id: 326,
|
|
574
600
|
code: VulnerabilityCode.XXE_OOB,
|
|
575
601
|
title: 'XML External Entity Injection - Out-of-Band',
|
|
576
602
|
description: 'Critical out-of-band XXE vulnerability confirmed through external HTTP/DNS callbacks, proving the XML parser fetches external resources. This enables data exfiltration through URL parameters and server-side request forgery attacks against internal network resources.',
|
|
577
603
|
severity: 'critical',
|
|
604
|
+
levelId: 1,
|
|
578
605
|
category: 'injection',
|
|
579
606
|
scanner: 'xxe',
|
|
580
607
|
cvss: {
|
|
@@ -595,11 +622,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
595
622
|
// LOCAL FILE INCLUSION
|
|
596
623
|
// ========================================
|
|
597
624
|
[VulnerabilityCode.LFI_PATH_TRAVERSAL]: {
|
|
598
|
-
id:
|
|
625
|
+
id: 327,
|
|
599
626
|
code: VulnerabilityCode.LFI_PATH_TRAVERSAL,
|
|
600
627
|
title: 'Local File Inclusion - Path Traversal',
|
|
601
628
|
description: 'Path traversal vulnerability allowing attackers to read arbitrary files on the server by manipulating file path parameters with directory traversal sequences like ../ to escape the intended directory and access sensitive system or application configuration files.',
|
|
602
629
|
severity: 'high',
|
|
630
|
+
levelId: 2,
|
|
603
631
|
category: 'file_inclusion',
|
|
604
632
|
scanner: 'local-file-inclusion',
|
|
605
633
|
cvss: {
|
|
@@ -617,11 +645,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
617
645
|
remediation: 'Validate all file path inputs against an allowlist of permitted files. Canonicalize paths and verify they remain within expected directories. Use indirect file references instead of direct paths.',
|
|
618
646
|
},
|
|
619
647
|
[VulnerabilityCode.LFI_SOURCE_DISCLOSURE]: {
|
|
620
|
-
id:
|
|
648
|
+
id: 328,
|
|
621
649
|
code: VulnerabilityCode.LFI_SOURCE_DISCLOSURE,
|
|
622
650
|
title: 'Local File Inclusion - Source Code Disclosure',
|
|
623
651
|
description: 'Critical source code disclosure vulnerability where application source files can be read through file inclusion, exposing proprietary code, hardcoded credentials, API keys, database connection strings, and security implementation details that facilitate further attacks.',
|
|
624
652
|
severity: 'high',
|
|
653
|
+
levelId: 2,
|
|
625
654
|
category: 'file_inclusion',
|
|
626
655
|
scanner: 'local-file-inclusion',
|
|
627
656
|
cvss: {
|
|
@@ -639,11 +668,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
639
668
|
remediation: 'Use allowlist validation for file access. Store source files outside web root. Implement proper access controls on file reading functionality. Remove any debug endpoints that read files.',
|
|
640
669
|
},
|
|
641
670
|
[VulnerabilityCode.LFI_WRAPPER_PROTOCOL]: {
|
|
642
|
-
id:
|
|
671
|
+
id: 329,
|
|
643
672
|
code: VulnerabilityCode.LFI_WRAPPER_PROTOCOL,
|
|
644
673
|
title: 'Local File Inclusion - PHP Wrapper Protocol',
|
|
645
674
|
description: 'PHP wrapper protocol exploitation where filter or data wrappers like php://filter or php://input can be used to read source files as base64, write arbitrary files, or achieve remote code execution through deserialization when phar:// wrapper is enabled.',
|
|
646
675
|
severity: 'critical',
|
|
676
|
+
levelId: 1,
|
|
647
677
|
category: 'file_inclusion',
|
|
648
678
|
scanner: 'local-file-inclusion',
|
|
649
679
|
cvss: {
|
|
@@ -660,11 +690,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
660
690
|
remediation: 'Disable allow_url_include and allow_url_fopen in PHP configuration. Filter and validate all file path inputs. Block protocol wrappers in user input. Use allowlist for file access.',
|
|
661
691
|
},
|
|
662
692
|
[VulnerabilityCode.XPATH_AUTH_BYPASS]: {
|
|
663
|
-
id:
|
|
693
|
+
id: 330,
|
|
664
694
|
code: VulnerabilityCode.XPATH_AUTH_BYPASS,
|
|
665
695
|
title: 'XPath Injection - Authentication Bypass',
|
|
666
696
|
description: 'XPath injection vulnerability where crafted input manipulates XPath queries to bypass authentication or authorization checks, allowing attackers to log in as other users or access protected resources without valid credentials.',
|
|
667
697
|
severity: 'high',
|
|
698
|
+
levelId: 2,
|
|
668
699
|
category: 'injection',
|
|
669
700
|
scanner: 'xpath-injection',
|
|
670
701
|
cvss: {
|
|
@@ -681,11 +712,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
681
712
|
remediation: 'Use parameterized XPath queries or safe APIs that separate data from query logic. Validate and constrain user input for XPath contexts. Use allowlists and avoid dynamic XPath string concatenation.',
|
|
682
713
|
},
|
|
683
714
|
[VulnerabilityCode.XPATH_DATA_EXTRACTION]: {
|
|
684
|
-
id:
|
|
715
|
+
id: 331,
|
|
685
716
|
code: VulnerabilityCode.XPATH_DATA_EXTRACTION,
|
|
686
717
|
title: 'XPath Injection - Data Extraction',
|
|
687
718
|
description: 'XPath injection vulnerability that allows attackers to read or enumerate sensitive XML data by manipulating query predicates, leading to disclosure of user data, configuration, or credentials stored in XML-backed systems.',
|
|
688
719
|
severity: 'high',
|
|
720
|
+
levelId: 2,
|
|
689
721
|
category: 'injection',
|
|
690
722
|
scanner: 'xpath-injection',
|
|
691
723
|
cvss: {
|
|
@@ -702,11 +734,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
702
734
|
remediation: 'Use safe XPath APIs with variables/bind parameters. Apply strict input validation and encoding for XPath contexts. Restrict accessible XML data and apply least-privilege access controls.',
|
|
703
735
|
},
|
|
704
736
|
[VulnerabilityCode.XPATH_BLIND]: {
|
|
705
|
-
id:
|
|
737
|
+
id: 332,
|
|
706
738
|
code: VulnerabilityCode.XPATH_BLIND,
|
|
707
739
|
title: 'XPath Injection - Blind',
|
|
708
740
|
description: 'Blind XPath injection vulnerability where attackers infer query results through boolean or timing differences, enabling gradual extraction of sensitive XML data despite no direct response output.',
|
|
709
741
|
severity: 'medium',
|
|
742
|
+
levelId: 3,
|
|
710
743
|
category: 'injection',
|
|
711
744
|
scanner: 'xpath-injection',
|
|
712
745
|
cvss: {
|
|
@@ -723,11 +756,12 @@ export const INJECTION_VULNERABILITIES = {
|
|
|
723
756
|
remediation: 'Use parameterized XPath queries and input validation. Normalize error and response behaviors to reduce side-channel differences. Apply rate limiting to limit inference attacks.',
|
|
724
757
|
},
|
|
725
758
|
[VulnerabilityCode.XPATH_ERROR_BASED]: {
|
|
726
|
-
id:
|
|
759
|
+
id: 333,
|
|
727
760
|
code: VulnerabilityCode.XPATH_ERROR_BASED,
|
|
728
761
|
title: 'XPath Injection - Error Based',
|
|
729
762
|
description: 'XPath injection vulnerability where malformed input triggers verbose error messages that reveal query structure or XML data, enabling attackers to craft precise XPath exploits or extract sensitive information.',
|
|
730
763
|
severity: 'medium',
|
|
764
|
+
levelId: 3,
|
|
731
765
|
category: 'injection',
|
|
732
766
|
scanner: 'xpath-injection',
|
|
733
767
|
cvss: {
|