@zerothreatai/vulnerability-registry 3.0.0 → 5.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/categories/authentication.js +34 -17
- package/dist/categories/configuration.js +561 -60
- package/dist/categories/injection.js +68 -34
- package/dist/categories/sensitive-paths.js +168 -84
- package/dist/categories/ssrf.js +22 -11
- package/dist/categories/xss.js +30 -15
- package/dist/category.d.ts +6 -0
- package/dist/category.js +15 -0
- package/dist/error-codes.d.ts +20 -0
- package/dist/error-codes.js +20 -0
- package/dist/index.d.ts +9 -1
- package/dist/index.js +5 -1
- package/dist/scanner.d.ts +6 -0
- package/dist/scanner.js +22 -0
- package/dist/types.d.ts +2 -0
- package/dist-cjs/categories/authentication.js +34 -17
- package/dist-cjs/categories/configuration.js +561 -60
- package/dist-cjs/categories/injection.js +68 -34
- package/dist-cjs/categories/sensitive-paths.js +168 -84
- package/dist-cjs/categories/ssrf.js +22 -11
- package/dist-cjs/categories/xss.js +30 -15
- package/dist-cjs/category.js +18 -0
- package/dist-cjs/error-codes.js +20 -0
- package/dist-cjs/index.js +7 -1
- package/dist-cjs/scanner.js +25 -0
- package/package.json +35 -32
- package/scripts/assign-ids.ts +105 -0
- package/scripts/check-duplicate-ids.ts +45 -0
- package/src/categories/authentication.ts +145 -128
- package/src/categories/configuration.ts +1632 -1111
- package/src/categories/injection.ts +158 -124
- package/src/categories/sensitive-paths.ts +168 -84
- package/src/categories/ssrf.ts +22 -11
- package/src/categories/xss.ts +30 -15
- package/src/category.ts +16 -0
- package/src/error-codes.ts +25 -5
- package/src/id-registry.json +1235 -0
- package/src/index.ts +20 -14
- package/src/scanner.ts +23 -0
- package/src/types.ts +4 -2
- package/zerothreatai-vulnerability-registry-4npm .0.0.tgz +0 -0
- package/src/categories/authentication.d.ts +0 -8
- package/src/categories/authentication.d.ts.map +0 -1
- package/src/categories/authentication.js +0 -378
- package/src/categories/authentication.js.map +0 -1
- package/src/categories/configuration.d.ts +0 -8
- package/src/categories/configuration.d.ts.map +0 -1
- package/src/categories/configuration.js +0 -906
- package/src/categories/configuration.js.map +0 -1
- package/src/categories/injection.d.ts +0 -8
- package/src/categories/injection.d.ts.map +0 -1
- package/src/categories/injection.js +0 -750
- package/src/categories/injection.js.map +0 -1
- package/src/categories/sensitive-paths.d.ts +0 -9
- package/src/categories/sensitive-paths.d.ts.map +0 -1
- package/src/categories/sensitive-paths.js +0 -1791
- package/src/categories/sensitive-paths.js.map +0 -1
- package/src/categories/ssrf.d.ts +0 -8
- package/src/categories/ssrf.d.ts.map +0 -1
- package/src/categories/ssrf.js +0 -250
- package/src/categories/ssrf.js.map +0 -1
- package/src/categories/xss.d.ts +0 -7
- package/src/categories/xss.d.ts.map +0 -1
- package/src/categories/xss.js +0 -328
- package/src/categories/xss.js.map +0 -1
- package/src/error-codes.d.ts +0 -242
- package/src/error-codes.d.ts.map +0 -1
- package/src/error-codes.js +0 -315
- package/src/error-codes.js.map +0 -1
- package/src/index.d.ts +0 -60
- package/src/index.d.ts.map +0 -1
- package/src/index.js +0 -107
- package/src/index.js.map +0 -1
- package/src/types.d.ts +0 -86
- package/src/types.d.ts.map +0 -1
- package/src/types.js +0 -7
- package/src/types.js.map +0 -1
|
@@ -12,11 +12,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
12
12
|
// SQL INJECTION
|
|
13
13
|
// ========================================
|
|
14
14
|
[error_codes_js_1.VulnerabilityCode.SQLI_ERROR_BASED]: {
|
|
15
|
-
id:
|
|
15
|
+
id: 300,
|
|
16
16
|
code: error_codes_js_1.VulnerabilityCode.SQLI_ERROR_BASED,
|
|
17
17
|
title: 'SQL Injection - Error Based',
|
|
18
18
|
description: 'Error-based SQL injection vulnerability detected where database error messages are reflected in the application response, allowing attackers to extract sensitive data from the database by manipulating SQL queries and analyzing error output.',
|
|
19
19
|
severity: 'high',
|
|
20
|
+
levelId: 2,
|
|
20
21
|
category: 'injection',
|
|
21
22
|
scanner: 'sql-injection',
|
|
22
23
|
cvss: {
|
|
@@ -33,11 +34,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
33
34
|
remediation: 'Use parameterized queries or prepared statements. Implement input validation and sanitization. Use stored procedures with parameterized inputs. Apply principle of least privilege to database accounts.',
|
|
34
35
|
},
|
|
35
36
|
[error_codes_js_1.VulnerabilityCode.SQLI_BOOLEAN_BASED]: {
|
|
36
|
-
id:
|
|
37
|
+
id: 301,
|
|
37
38
|
code: error_codes_js_1.VulnerabilityCode.SQLI_BOOLEAN_BASED,
|
|
38
39
|
title: 'SQL Injection - Boolean Based Blind',
|
|
39
40
|
description: 'Boolean-based blind SQL injection vulnerability where the application responds differently based on whether injected conditions evaluate to true or false, enabling attackers to infer database contents one bit at a time through systematic query manipulation.',
|
|
40
41
|
severity: 'high',
|
|
42
|
+
levelId: 2,
|
|
41
43
|
category: 'injection',
|
|
42
44
|
scanner: 'sql-injection',
|
|
43
45
|
cvss: {
|
|
@@ -54,11 +56,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
54
56
|
remediation: 'Use parameterized queries or prepared statements. Implement consistent error handling that does not reveal query success/failure. Apply input validation and output encoding.',
|
|
55
57
|
},
|
|
56
58
|
[error_codes_js_1.VulnerabilityCode.SQLI_TIME_BASED]: {
|
|
57
|
-
id:
|
|
59
|
+
id: 302,
|
|
58
60
|
code: error_codes_js_1.VulnerabilityCode.SQLI_TIME_BASED,
|
|
59
61
|
title: 'SQL Injection - Time Based Blind',
|
|
60
62
|
description: 'Time-based blind SQL injection vulnerability where attackers can infer database contents by measuring response time differences caused by injected time delay functions like SLEEP() or WAITFOR, enabling complete database extraction through timing analysis.',
|
|
61
63
|
severity: 'high',
|
|
64
|
+
levelId: 2,
|
|
62
65
|
category: 'injection',
|
|
63
66
|
scanner: 'sql-injection',
|
|
64
67
|
cvss: {
|
|
@@ -75,11 +78,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
75
78
|
remediation: 'Use parameterized queries or prepared statements. Implement query timeout limits. Apply input validation and sanitization. Monitor for abnormally slow queries.',
|
|
76
79
|
},
|
|
77
80
|
[error_codes_js_1.VulnerabilityCode.SQLI_STACK_BASED]: {
|
|
78
|
-
id:
|
|
81
|
+
id: 303,
|
|
79
82
|
code: error_codes_js_1.VulnerabilityCode.SQLI_STACK_BASED,
|
|
80
83
|
title: 'SQL Injection - Stacked Queries',
|
|
81
84
|
description: 'Critical stacked queries SQL injection vulnerability allowing attackers to execute multiple SQL statements in a single query, enabling destructive operations like DROP TABLE, INSERT into admin tables, or creating backdoor accounts with full database control.',
|
|
82
85
|
severity: 'critical',
|
|
86
|
+
levelId: 1,
|
|
83
87
|
category: 'injection',
|
|
84
88
|
scanner: 'sql-injection',
|
|
85
89
|
cvss: {
|
|
@@ -96,11 +100,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
96
100
|
remediation: 'Use parameterized queries exclusively. Disable multi-statement execution in database drivers. Implement strict input validation. Apply least privilege database permissions and prevent DDL execution.',
|
|
97
101
|
},
|
|
98
102
|
[error_codes_js_1.VulnerabilityCode.SQLI_UNION_BASED]: {
|
|
99
|
-
id:
|
|
103
|
+
id: 304,
|
|
100
104
|
code: error_codes_js_1.VulnerabilityCode.SQLI_UNION_BASED,
|
|
101
105
|
title: 'SQL Injection - UNION Based',
|
|
102
106
|
description: 'UNION-based SQL injection vulnerability allowing attackers to append additional SELECT queries using UNION operator, enabling direct extraction of data from other database tables including user credentials, personal information, and sensitive business data.',
|
|
103
107
|
severity: 'high',
|
|
108
|
+
levelId: 2,
|
|
104
109
|
category: 'injection',
|
|
105
110
|
scanner: 'sql-injection',
|
|
106
111
|
cvss: {
|
|
@@ -120,11 +125,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
120
125
|
// COMMAND INJECTION
|
|
121
126
|
// ========================================
|
|
122
127
|
[error_codes_js_1.VulnerabilityCode.CMDI_OOB_CONFIRMED]: {
|
|
123
|
-
id:
|
|
128
|
+
id: 305,
|
|
124
129
|
code: error_codes_js_1.VulnerabilityCode.CMDI_OOB_CONFIRMED,
|
|
125
130
|
title: 'OS Command Injection - OOB Confirmed',
|
|
126
131
|
description: 'Critical OS command injection vulnerability confirmed through out-of-band callback detection, proving that attacker-controlled shell commands are being executed on the server operating system with full access to system resources and potential for complete server compromise.',
|
|
127
132
|
severity: 'critical',
|
|
133
|
+
levelId: 1,
|
|
128
134
|
category: 'injection',
|
|
129
135
|
scanner: 'command-injection',
|
|
130
136
|
cvss: {
|
|
@@ -141,11 +147,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
141
147
|
remediation: 'Avoid system calls with user input entirely. Use language-specific APIs instead of shell commands. Implement strict input validation with allowlists. Run applications with minimal OS privileges in sandboxed environments.',
|
|
142
148
|
},
|
|
143
149
|
[error_codes_js_1.VulnerabilityCode.CMDI_REFLECTED]: {
|
|
144
|
-
id:
|
|
150
|
+
id: 306,
|
|
145
151
|
code: error_codes_js_1.VulnerabilityCode.CMDI_REFLECTED,
|
|
146
152
|
title: 'OS Command Injection - Reflected Output',
|
|
147
153
|
description: 'OS command injection vulnerability confirmed by command output being reflected in the application response, indicating that shell commands execute on the server and their results are returned to the attacker for data exfiltration and system reconnaissance.',
|
|
148
154
|
severity: 'critical',
|
|
155
|
+
levelId: 1,
|
|
149
156
|
category: 'injection',
|
|
150
157
|
scanner: 'command-injection',
|
|
151
158
|
cvss: {
|
|
@@ -162,11 +169,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
162
169
|
remediation: 'Replace shell command execution with native language APIs. Implement strict input validation using allowlists. Escape shell metacharacters if commands are unavoidable. Sandbox application execution environments.',
|
|
163
170
|
},
|
|
164
171
|
[error_codes_js_1.VulnerabilityCode.CMDI_TIME_BASED]: {
|
|
165
|
-
id:
|
|
172
|
+
id: 307,
|
|
166
173
|
code: error_codes_js_1.VulnerabilityCode.CMDI_TIME_BASED,
|
|
167
174
|
title: 'OS Command Injection - Time Based',
|
|
168
175
|
description: 'Time-based OS command injection vulnerability detected through measurable response time delays caused by injected sleep or ping commands, strongly indicating that shell commands execute on the server even though output is not directly visible in responses.',
|
|
169
176
|
severity: 'high',
|
|
177
|
+
levelId: 2,
|
|
170
178
|
category: 'injection',
|
|
171
179
|
scanner: 'command-injection',
|
|
172
180
|
cvss: {
|
|
@@ -183,11 +191,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
183
191
|
remediation: 'Avoid executing system commands with user input. Use native APIs for required functionality. Implement strict input validation. Set command execution timeouts and monitor for anomalous delays.',
|
|
184
192
|
},
|
|
185
193
|
[error_codes_js_1.VulnerabilityCode.CMDI_ERROR_BASED]: {
|
|
186
|
-
id:
|
|
194
|
+
id: 308,
|
|
187
195
|
code: error_codes_js_1.VulnerabilityCode.CMDI_ERROR_BASED,
|
|
188
196
|
title: 'OS Command Injection - Error Based',
|
|
189
197
|
description: 'Potential OS command injection vulnerability indicated by distinctive error messages or system-level exceptions in the application response when malformed shell payloads are submitted, suggesting command execution attempts reach the operating system interpreter.',
|
|
190
198
|
severity: 'medium',
|
|
199
|
+
levelId: 3,
|
|
191
200
|
category: 'injection',
|
|
192
201
|
scanner: 'command-injection',
|
|
193
202
|
cvss: {
|
|
@@ -207,11 +216,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
207
216
|
// SERVER-SIDE TEMPLATE INJECTION
|
|
208
217
|
// ========================================
|
|
209
218
|
[error_codes_js_1.VulnerabilityCode.SSTI_JINJA2]: {
|
|
210
|
-
id:
|
|
219
|
+
id: 309,
|
|
211
220
|
code: error_codes_js_1.VulnerabilityCode.SSTI_JINJA2,
|
|
212
221
|
title: 'Server-Side Template Injection - Jinja2',
|
|
213
222
|
description: 'Critical server-side template injection vulnerability in Jinja2 (Python/Flask) where user input is processed as template code, enabling attackers to execute arbitrary Python code on the server through template expressions like {{config}} or {{request.application.__globals__}}.',
|
|
214
223
|
severity: 'critical',
|
|
224
|
+
levelId: 1,
|
|
215
225
|
category: 'injection',
|
|
216
226
|
scanner: 'ssti',
|
|
217
227
|
cvss: {
|
|
@@ -228,11 +238,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
228
238
|
remediation: 'Never pass user input directly to template rendering. Use sandboxed template environments with restricted builtins. Prefer logic-less templates like Mustache. Implement strict input validation before template processing.',
|
|
229
239
|
},
|
|
230
240
|
[error_codes_js_1.VulnerabilityCode.SSTI_TWIG]: {
|
|
231
|
-
id:
|
|
241
|
+
id: 310,
|
|
232
242
|
code: error_codes_js_1.VulnerabilityCode.SSTI_TWIG,
|
|
233
243
|
title: 'Server-Side Template Injection - Twig',
|
|
234
244
|
description: 'Critical server-side template injection vulnerability in Twig (PHP/Symfony) where user input is evaluated as template expressions, allowing attackers to execute arbitrary PHP code on the server through filter chains and object method invocations within template syntax.',
|
|
235
245
|
severity: 'critical',
|
|
246
|
+
levelId: 1,
|
|
236
247
|
category: 'injection',
|
|
237
248
|
scanner: 'ssti',
|
|
238
249
|
cvss: {
|
|
@@ -249,11 +260,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
249
260
|
remediation: 'Avoid rendering user input as templates. Use Twig sandbox mode with whitelisted tags, filters, and functions. Upgrade to latest Twig version with security patches. Validate and sanitize all inputs.',
|
|
250
261
|
},
|
|
251
262
|
[error_codes_js_1.VulnerabilityCode.SSTI_FREEMARKER]: {
|
|
252
|
-
id:
|
|
263
|
+
id: 311,
|
|
253
264
|
code: error_codes_js_1.VulnerabilityCode.SSTI_FREEMARKER,
|
|
254
265
|
title: 'Server-Side Template Injection - FreeMarker',
|
|
255
266
|
description: 'Critical server-side template injection vulnerability in FreeMarker (Java) where user-controlled data is interpreted as template directives, enabling remote code execution through Java class instantiation and method invocation via FreeMarker built-in expressions.',
|
|
256
267
|
severity: 'critical',
|
|
268
|
+
levelId: 1,
|
|
257
269
|
category: 'injection',
|
|
258
270
|
scanner: 'ssti',
|
|
259
271
|
cvss: {
|
|
@@ -270,11 +282,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
270
282
|
remediation: 'Never interpolate user input into templates. Configure FreeMarker with restricted class resolver. Disable new() built-in and api built-ins. Use template configuration to restrict available classes.',
|
|
271
283
|
},
|
|
272
284
|
[error_codes_js_1.VulnerabilityCode.SSTI_GENERIC]: {
|
|
273
|
-
id:
|
|
285
|
+
id: 312,
|
|
274
286
|
code: error_codes_js_1.VulnerabilityCode.SSTI_GENERIC,
|
|
275
287
|
title: 'Server-Side Template Injection - Generic',
|
|
276
288
|
description: 'Server-side template injection vulnerability detected where user input is being processed by a template engine, potentially allowing code execution. The specific template engine could not be determined, but mathematical expression evaluation confirms server-side processing of user input.',
|
|
277
289
|
severity: 'high',
|
|
290
|
+
levelId: 2,
|
|
278
291
|
category: 'injection',
|
|
279
292
|
scanner: 'ssti',
|
|
280
293
|
cvss: {
|
|
@@ -291,11 +304,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
291
304
|
remediation: 'Identify the template engine in use and apply engine-specific mitigations. Never pass user input to template rendering. Use sandboxed template environments. Implement strict input validation.',
|
|
292
305
|
},
|
|
293
306
|
[error_codes_js_1.VulnerabilityCode.SSTI_VELOCITY]: {
|
|
294
|
-
id:
|
|
307
|
+
id: 313,
|
|
295
308
|
code: error_codes_js_1.VulnerabilityCode.SSTI_VELOCITY,
|
|
296
309
|
title: 'Server-Side Template Injection - Velocity',
|
|
297
310
|
description: 'Critical server-side template injection vulnerability in Apache Velocity (Java) where user-controlled data is processed as template directives, enabling arbitrary Java code execution through Velocity Template Language expressions and class instantiation.',
|
|
298
311
|
severity: 'critical',
|
|
312
|
+
levelId: 1,
|
|
299
313
|
category: 'injection',
|
|
300
314
|
scanner: 'ssti',
|
|
301
315
|
cvss: {
|
|
@@ -312,11 +326,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
312
326
|
remediation: 'Never render user input as Velocity templates. Configure SecureUberspector to block dangerous method calls. Use Velocity tools with restricted capabilities. Apply input validation.',
|
|
313
327
|
},
|
|
314
328
|
[error_codes_js_1.VulnerabilityCode.SSTI_THYMELEAF]: {
|
|
315
|
-
id:
|
|
329
|
+
id: 314,
|
|
316
330
|
code: error_codes_js_1.VulnerabilityCode.SSTI_THYMELEAF,
|
|
317
331
|
title: 'Server-Side Template Injection - Thymeleaf',
|
|
318
332
|
description: 'Critical server-side template injection vulnerability in Thymeleaf (Spring/Java) where user input is processed as template expressions, enabling remote code execution through SpEL (Spring Expression Language) injection in template attributes.',
|
|
319
333
|
severity: 'critical',
|
|
334
|
+
levelId: 1,
|
|
320
335
|
category: 'injection',
|
|
321
336
|
scanner: 'ssti',
|
|
322
337
|
cvss: {
|
|
@@ -333,11 +348,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
333
348
|
remediation: 'Never concatenate user input into template expressions. Use th:text for displaying user data. Configure SpringTemplateEngine to restrict expression capabilities.',
|
|
334
349
|
},
|
|
335
350
|
[error_codes_js_1.VulnerabilityCode.SSTI_ERB]: {
|
|
336
|
-
id:
|
|
351
|
+
id: 315,
|
|
337
352
|
code: error_codes_js_1.VulnerabilityCode.SSTI_ERB,
|
|
338
353
|
title: 'Server-Side Template Injection - ERB',
|
|
339
354
|
description: 'Critical server-side template injection vulnerability in ERB (Ruby on Rails) where user input is embedded in ERB templates and executed as Ruby code, enabling arbitrary system command execution and complete server compromise through Ruby runtime access.',
|
|
340
355
|
severity: 'critical',
|
|
356
|
+
levelId: 1,
|
|
341
357
|
category: 'injection',
|
|
342
358
|
scanner: 'ssti',
|
|
343
359
|
cvss: {
|
|
@@ -354,11 +370,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
354
370
|
remediation: 'Never pass user input to ERB.new(). Use Rails html_safe only after proper sanitization. Prefer logic-less templates. Implement strict input validation before any rendering.',
|
|
355
371
|
},
|
|
356
372
|
[error_codes_js_1.VulnerabilityCode.SSTI_EJS]: {
|
|
357
|
-
id:
|
|
373
|
+
id: 316,
|
|
358
374
|
code: error_codes_js_1.VulnerabilityCode.SSTI_EJS,
|
|
359
375
|
title: 'Server-Side Template Injection - EJS',
|
|
360
376
|
description: 'Critical server-side template injection vulnerability in EJS (Node.js) where user-controlled data is processed as template code, allowing arbitrary JavaScript execution on the server through embedded JavaScript expressions and access to Node.js runtime.',
|
|
361
377
|
severity: 'critical',
|
|
378
|
+
levelId: 1,
|
|
362
379
|
category: 'injection',
|
|
363
380
|
scanner: 'ssti',
|
|
364
381
|
cvss: {
|
|
@@ -375,11 +392,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
375
392
|
remediation: 'Never pass user input directly to ejs.render(). Use ejs.escape() for user data. Pass data through template locals only. Consider switching to logic-less templates like Handlebars.',
|
|
376
393
|
},
|
|
377
394
|
[error_codes_js_1.VulnerabilityCode.SSTI_PUG]: {
|
|
378
|
-
id:
|
|
395
|
+
id: 317,
|
|
379
396
|
code: error_codes_js_1.VulnerabilityCode.SSTI_PUG,
|
|
380
397
|
title: 'Server-Side Template Injection - Pug/Jade',
|
|
381
398
|
description: 'Critical server-side template injection vulnerability in Pug (formerly Jade, Node.js) where user input is interpreted as template syntax, enabling arbitrary JavaScript code execution through Pug embedded code blocks and access to server-side Node.js environment.',
|
|
382
399
|
severity: 'critical',
|
|
400
|
+
levelId: 1,
|
|
383
401
|
category: 'injection',
|
|
384
402
|
scanner: 'ssti',
|
|
385
403
|
cvss: {
|
|
@@ -396,11 +414,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
396
414
|
remediation: 'Never compile user input as Pug templates. Pass user data only through template locals. Avoid pug.compile() with user-controlled template strings. Use static templates only.',
|
|
397
415
|
},
|
|
398
416
|
[error_codes_js_1.VulnerabilityCode.SSTI_SMARTY]: {
|
|
399
|
-
id:
|
|
417
|
+
id: 318,
|
|
400
418
|
code: error_codes_js_1.VulnerabilityCode.SSTI_SMARTY,
|
|
401
419
|
title: 'Server-Side Template Injection - Smarty',
|
|
402
420
|
description: 'Critical server-side template injection vulnerability in Smarty (PHP) where user input is processed as template code, enabling arbitrary PHP code execution through Smarty tags and function calls that can lead to complete server compromise.',
|
|
403
421
|
severity: 'critical',
|
|
422
|
+
levelId: 1,
|
|
404
423
|
category: 'injection',
|
|
405
424
|
scanner: 'ssti',
|
|
406
425
|
cvss: {
|
|
@@ -417,11 +436,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
417
436
|
remediation: 'Enable Smarty security_policy to restrict allowed tags and modifiers. Never pass user input to template compilation. Disable {php} tags. Use Smarty 3+ with security features enabled.',
|
|
418
437
|
},
|
|
419
438
|
[error_codes_js_1.VulnerabilityCode.SSTI_MAKO]: {
|
|
420
|
-
id:
|
|
439
|
+
id: 319,
|
|
421
440
|
code: error_codes_js_1.VulnerabilityCode.SSTI_MAKO,
|
|
422
441
|
title: 'Server-Side Template Injection - Mako',
|
|
423
442
|
description: 'Critical server-side template injection vulnerability in Mako (Python) where user-controlled data is executed as template code, enabling arbitrary Python code execution through Mako expressions and full access to the Python runtime environment.',
|
|
424
443
|
severity: 'critical',
|
|
444
|
+
levelId: 1,
|
|
425
445
|
category: 'injection',
|
|
426
446
|
scanner: 'ssti',
|
|
427
447
|
cvss: {
|
|
@@ -441,11 +461,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
441
461
|
// XXE (XML EXTERNAL ENTITY) - Additional
|
|
442
462
|
// ========================================
|
|
443
463
|
[error_codes_js_1.VulnerabilityCode.XXE_ERROR_BASED]: {
|
|
444
|
-
id:
|
|
464
|
+
id: 320,
|
|
445
465
|
code: error_codes_js_1.VulnerabilityCode.XXE_ERROR_BASED,
|
|
446
466
|
title: 'XML External Entity Injection - Error Based',
|
|
447
467
|
description: 'Error-based XXE vulnerability where file contents can be extracted through parser error messages by crafting malformed external entities that include file data in error output, enabling data exfiltration even when direct output is not reflected.',
|
|
448
468
|
severity: 'high',
|
|
469
|
+
levelId: 2,
|
|
449
470
|
category: 'injection',
|
|
450
471
|
scanner: 'xxe',
|
|
451
472
|
cvss: {
|
|
@@ -462,11 +483,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
462
483
|
remediation: 'Disable DTD processing entirely in XML parser configuration. Suppress detailed error messages in production. Implement custom error handlers that do not expose file contents.',
|
|
463
484
|
},
|
|
464
485
|
[error_codes_js_1.VulnerabilityCode.XXE_PARAMETER_ENTITY]: {
|
|
465
|
-
id:
|
|
486
|
+
id: 321,
|
|
466
487
|
code: error_codes_js_1.VulnerabilityCode.XXE_PARAMETER_ENTITY,
|
|
467
488
|
title: 'XML External Entity Injection - Parameter Entity',
|
|
468
489
|
description: 'XXE vulnerability exploiting parameter entities in DTD declarations to exfiltrate data or perform SSRF attacks when regular external entities are blocked, by using percent-encoded entity references within the document type definition.',
|
|
469
490
|
severity: 'high',
|
|
491
|
+
levelId: 2,
|
|
470
492
|
category: 'injection',
|
|
471
493
|
scanner: 'xxe',
|
|
472
494
|
cvss: {
|
|
@@ -486,11 +508,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
486
508
|
// LOCAL FILE INCLUSION - Additional
|
|
487
509
|
// ========================================
|
|
488
510
|
[error_codes_js_1.VulnerabilityCode.LFI_FILTER_BYPASS]: {
|
|
489
|
-
id:
|
|
511
|
+
id: 322,
|
|
490
512
|
code: error_codes_js_1.VulnerabilityCode.LFI_FILTER_BYPASS,
|
|
491
513
|
title: 'Local File Inclusion - Filter Bypass',
|
|
492
514
|
description: 'Local file inclusion vulnerability that bypasses input validation filters through encoding tricks (URL encoding, double encoding, null bytes), alternate path separators, or case manipulation to access files despite security controls.',
|
|
493
515
|
severity: 'high',
|
|
516
|
+
levelId: 2,
|
|
494
517
|
category: 'file_inclusion',
|
|
495
518
|
scanner: 'local-file-inclusion',
|
|
496
519
|
cvss: {
|
|
@@ -507,11 +530,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
507
530
|
remediation: 'Use canonicalization after decoding before validation. Implement allowlist of permitted files instead of blocklist. Validate resolved paths are within expected directories.',
|
|
508
531
|
},
|
|
509
532
|
[error_codes_js_1.VulnerabilityCode.LFI_PROC_DISCLOSURE]: {
|
|
510
|
-
id:
|
|
533
|
+
id: 323,
|
|
511
534
|
code: error_codes_js_1.VulnerabilityCode.LFI_PROC_DISCLOSURE,
|
|
512
535
|
title: 'Local File Inclusion - Process Information Disclosure',
|
|
513
536
|
description: 'LFI vulnerability enabling access to /proc filesystem on Linux systems, exposing process memory maps, environment variables with credentials, command line arguments, and other runtime information that can reveal secrets and aid further attacks.',
|
|
514
537
|
severity: 'high',
|
|
538
|
+
levelId: 2,
|
|
515
539
|
category: 'file_inclusion',
|
|
516
540
|
scanner: 'local-file-inclusion',
|
|
517
541
|
cvss: {
|
|
@@ -531,11 +555,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
531
555
|
// XXE (XML EXTERNAL ENTITY)
|
|
532
556
|
// ========================================
|
|
533
557
|
[error_codes_js_1.VulnerabilityCode.XXE_CLASSIC]: {
|
|
534
|
-
id:
|
|
558
|
+
id: 324,
|
|
535
559
|
code: error_codes_js_1.VulnerabilityCode.XXE_CLASSIC,
|
|
536
560
|
title: 'XML External Entity Injection - Classic',
|
|
537
561
|
description: 'Classic XXE vulnerability where external XML entities are processed by the parser, allowing attackers to read local files like /etc/passwd or application configuration files by defining external entities that reference file:// protocol URIs in the XML document type definition.',
|
|
538
562
|
severity: 'high',
|
|
563
|
+
levelId: 2,
|
|
539
564
|
category: 'injection',
|
|
540
565
|
scanner: 'xxe',
|
|
541
566
|
cvss: {
|
|
@@ -552,11 +577,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
552
577
|
remediation: 'Disable DTD processing entirely. Disable external entity resolution in XML parser configuration. Use less complex data formats like JSON where possible. Validate and sanitize XML input.',
|
|
553
578
|
},
|
|
554
579
|
[error_codes_js_1.VulnerabilityCode.XXE_BLIND]: {
|
|
555
|
-
id:
|
|
580
|
+
id: 325,
|
|
556
581
|
code: error_codes_js_1.VulnerabilityCode.XXE_BLIND,
|
|
557
582
|
title: 'XML External Entity Injection - Blind',
|
|
558
583
|
description: 'Blind XXE vulnerability where external entities are processed but file contents are not directly returned in the response. Exploitation requires out-of-band techniques like error-based extraction or HTTP callbacks to exfiltrate data from the target server.',
|
|
559
584
|
severity: 'high',
|
|
585
|
+
levelId: 2,
|
|
560
586
|
category: 'injection',
|
|
561
587
|
scanner: 'xxe',
|
|
562
588
|
cvss: {
|
|
@@ -573,11 +599,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
573
599
|
remediation: 'Disable DTD and external entity processing in XML parser. Block outbound network connections from XML processing servers. Use JSON instead of XML where possible.',
|
|
574
600
|
},
|
|
575
601
|
[error_codes_js_1.VulnerabilityCode.XXE_OOB]: {
|
|
576
|
-
id:
|
|
602
|
+
id: 326,
|
|
577
603
|
code: error_codes_js_1.VulnerabilityCode.XXE_OOB,
|
|
578
604
|
title: 'XML External Entity Injection - Out-of-Band',
|
|
579
605
|
description: 'Critical out-of-band XXE vulnerability confirmed through external HTTP/DNS callbacks, proving the XML parser fetches external resources. This enables data exfiltration through URL parameters and server-side request forgery attacks against internal network resources.',
|
|
580
606
|
severity: 'critical',
|
|
607
|
+
levelId: 1,
|
|
581
608
|
category: 'injection',
|
|
582
609
|
scanner: 'xxe',
|
|
583
610
|
cvss: {
|
|
@@ -598,11 +625,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
598
625
|
// LOCAL FILE INCLUSION
|
|
599
626
|
// ========================================
|
|
600
627
|
[error_codes_js_1.VulnerabilityCode.LFI_PATH_TRAVERSAL]: {
|
|
601
|
-
id:
|
|
628
|
+
id: 327,
|
|
602
629
|
code: error_codes_js_1.VulnerabilityCode.LFI_PATH_TRAVERSAL,
|
|
603
630
|
title: 'Local File Inclusion - Path Traversal',
|
|
604
631
|
description: 'Path traversal vulnerability allowing attackers to read arbitrary files on the server by manipulating file path parameters with directory traversal sequences like ../ to escape the intended directory and access sensitive system or application configuration files.',
|
|
605
632
|
severity: 'high',
|
|
633
|
+
levelId: 2,
|
|
606
634
|
category: 'file_inclusion',
|
|
607
635
|
scanner: 'local-file-inclusion',
|
|
608
636
|
cvss: {
|
|
@@ -620,11 +648,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
620
648
|
remediation: 'Validate all file path inputs against an allowlist of permitted files. Canonicalize paths and verify they remain within expected directories. Use indirect file references instead of direct paths.',
|
|
621
649
|
},
|
|
622
650
|
[error_codes_js_1.VulnerabilityCode.LFI_SOURCE_DISCLOSURE]: {
|
|
623
|
-
id:
|
|
651
|
+
id: 328,
|
|
624
652
|
code: error_codes_js_1.VulnerabilityCode.LFI_SOURCE_DISCLOSURE,
|
|
625
653
|
title: 'Local File Inclusion - Source Code Disclosure',
|
|
626
654
|
description: 'Critical source code disclosure vulnerability where application source files can be read through file inclusion, exposing proprietary code, hardcoded credentials, API keys, database connection strings, and security implementation details that facilitate further attacks.',
|
|
627
655
|
severity: 'high',
|
|
656
|
+
levelId: 2,
|
|
628
657
|
category: 'file_inclusion',
|
|
629
658
|
scanner: 'local-file-inclusion',
|
|
630
659
|
cvss: {
|
|
@@ -642,11 +671,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
642
671
|
remediation: 'Use allowlist validation for file access. Store source files outside web root. Implement proper access controls on file reading functionality. Remove any debug endpoints that read files.',
|
|
643
672
|
},
|
|
644
673
|
[error_codes_js_1.VulnerabilityCode.LFI_WRAPPER_PROTOCOL]: {
|
|
645
|
-
id:
|
|
674
|
+
id: 329,
|
|
646
675
|
code: error_codes_js_1.VulnerabilityCode.LFI_WRAPPER_PROTOCOL,
|
|
647
676
|
title: 'Local File Inclusion - PHP Wrapper Protocol',
|
|
648
677
|
description: 'PHP wrapper protocol exploitation where filter or data wrappers like php://filter or php://input can be used to read source files as base64, write arbitrary files, or achieve remote code execution through deserialization when phar:// wrapper is enabled.',
|
|
649
678
|
severity: 'critical',
|
|
679
|
+
levelId: 1,
|
|
650
680
|
category: 'file_inclusion',
|
|
651
681
|
scanner: 'local-file-inclusion',
|
|
652
682
|
cvss: {
|
|
@@ -663,11 +693,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
663
693
|
remediation: 'Disable allow_url_include and allow_url_fopen in PHP configuration. Filter and validate all file path inputs. Block protocol wrappers in user input. Use allowlist for file access.',
|
|
664
694
|
},
|
|
665
695
|
[error_codes_js_1.VulnerabilityCode.XPATH_AUTH_BYPASS]: {
|
|
666
|
-
id:
|
|
696
|
+
id: 330,
|
|
667
697
|
code: error_codes_js_1.VulnerabilityCode.XPATH_AUTH_BYPASS,
|
|
668
698
|
title: 'XPath Injection - Authentication Bypass',
|
|
669
699
|
description: 'XPath injection vulnerability where crafted input manipulates XPath queries to bypass authentication or authorization checks, allowing attackers to log in as other users or access protected resources without valid credentials.',
|
|
670
700
|
severity: 'high',
|
|
701
|
+
levelId: 2,
|
|
671
702
|
category: 'injection',
|
|
672
703
|
scanner: 'xpath-injection',
|
|
673
704
|
cvss: {
|
|
@@ -684,11 +715,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
684
715
|
remediation: 'Use parameterized XPath queries or safe APIs that separate data from query logic. Validate and constrain user input for XPath contexts. Use allowlists and avoid dynamic XPath string concatenation.',
|
|
685
716
|
},
|
|
686
717
|
[error_codes_js_1.VulnerabilityCode.XPATH_DATA_EXTRACTION]: {
|
|
687
|
-
id:
|
|
718
|
+
id: 331,
|
|
688
719
|
code: error_codes_js_1.VulnerabilityCode.XPATH_DATA_EXTRACTION,
|
|
689
720
|
title: 'XPath Injection - Data Extraction',
|
|
690
721
|
description: 'XPath injection vulnerability that allows attackers to read or enumerate sensitive XML data by manipulating query predicates, leading to disclosure of user data, configuration, or credentials stored in XML-backed systems.',
|
|
691
722
|
severity: 'high',
|
|
723
|
+
levelId: 2,
|
|
692
724
|
category: 'injection',
|
|
693
725
|
scanner: 'xpath-injection',
|
|
694
726
|
cvss: {
|
|
@@ -705,11 +737,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
705
737
|
remediation: 'Use safe XPath APIs with variables/bind parameters. Apply strict input validation and encoding for XPath contexts. Restrict accessible XML data and apply least-privilege access controls.',
|
|
706
738
|
},
|
|
707
739
|
[error_codes_js_1.VulnerabilityCode.XPATH_BLIND]: {
|
|
708
|
-
id:
|
|
740
|
+
id: 332,
|
|
709
741
|
code: error_codes_js_1.VulnerabilityCode.XPATH_BLIND,
|
|
710
742
|
title: 'XPath Injection - Blind',
|
|
711
743
|
description: 'Blind XPath injection vulnerability where attackers infer query results through boolean or timing differences, enabling gradual extraction of sensitive XML data despite no direct response output.',
|
|
712
744
|
severity: 'medium',
|
|
745
|
+
levelId: 3,
|
|
713
746
|
category: 'injection',
|
|
714
747
|
scanner: 'xpath-injection',
|
|
715
748
|
cvss: {
|
|
@@ -726,11 +759,12 @@ exports.INJECTION_VULNERABILITIES = {
|
|
|
726
759
|
remediation: 'Use parameterized XPath queries and input validation. Normalize error and response behaviors to reduce side-channel differences. Apply rate limiting to limit inference attacks.',
|
|
727
760
|
},
|
|
728
761
|
[error_codes_js_1.VulnerabilityCode.XPATH_ERROR_BASED]: {
|
|
729
|
-
id:
|
|
762
|
+
id: 333,
|
|
730
763
|
code: error_codes_js_1.VulnerabilityCode.XPATH_ERROR_BASED,
|
|
731
764
|
title: 'XPath Injection - Error Based',
|
|
732
765
|
description: 'XPath injection vulnerability where malformed input triggers verbose error messages that reveal query structure or XML data, enabling attackers to craft precise XPath exploits or extract sensitive information.',
|
|
733
766
|
severity: 'medium',
|
|
767
|
+
levelId: 3,
|
|
734
768
|
category: 'injection',
|
|
735
769
|
scanner: 'xpath-injection',
|
|
736
770
|
cvss: {
|