Property
Language
Severity
Service	dns
Provider	Nifcloud

Description

Leaving DNS TXT authentication records (such as ’nifty-dns-verify=…’) in the zone after verification allows unauthorized parties to use the record to re-verify and claim control of the DNS zone. The code fails to remove these sensitive records after use, exposing the zone to takeover.

Impact

If exploited, attackers could register or take over the DNS zone by leveraging the leftover verification record, enabling them to manipulate DNS entries, redirect traffic, or compromise services relying on the affected domain.

Property
Language
Severity
Vulnerability Type	omission

Description

The Dockerfile uses the deprecated MAINTAINER instruction, which is no longer supported since Docker 1.13.0. This can lead to confusion and incompatibility with current and future Docker versions.

Impact

Continued use of deprecated instructions may result in build failures, reduced maintainability, and lack of proper image metadata, making it harder to track image ownership and updates. This can increase operational risk and complicate vulnerability management.

Property
Language	clojure
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Medium

Description

Using Clojure’s core read-string function to process untrusted input is dangerous because it can execute arbitrary code during deserialization. Instead, use edn/read-string, which safely parses data without code execution risks.

Impact

If exploited, an attacker could send crafted input that triggers code execution on your server, potentially leading to data breaches, unauthorized access, or full system compromise. This could result in loss of sensitive data and damage to the application’s reliability and trust.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using the SimpleTypeResolver with JavaScriptSerializer in .NET is insecure because it allows attackers to specify arbitrary types for deserialization. This can let malicious data trigger the creation of dangerous objects during JSON deserialization.

Impact

If exploited, an attacker could execute arbitrary code on your web server, potentially taking full control of the application and server environment. This can lead to data breaches, website defacement, or complete system compromise.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

Using SoapFormatter for deserialization is insecure because it can execute malicious code embedded in untrusted input. Even if the data source appears safe, SoapFormatter cannot be made secure and should not be used.

Impact

If exploited, an attacker could send specially crafted SOAP data to execute arbitrary code on your server, leading to data breaches, server takeover, or further internal attacks. This could result in severe compromise of application integrity and organizational security.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Implementing a custom DataContractResolver can be risky if you are not fully controlling what data types are being deserialized. Allowing untrusted or unknown types can let attackers supply malicious objects that trigger unexpected behavior during deserialization.

Impact

If exploited, an attacker could inject specially crafted data that leads to remote code execution, data tampering, or denial of service. This can compromise application integrity, expose sensitive information, and potentially allow full system compromise.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using .NET Remoting with BinaryServerFormatterSinkProvider and setting TypeFilterLevel to ‘Full’ or ‘Low’ allows unsafe deserialization of untrusted data. This setting makes your application vulnerable to malicious code execution during the deserialization process.

Impact

An attacker could exploit this to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or service disruption. This puts both application data and infrastructure at significant risk.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using fastJSON with the $type extension and disabling BadListTypeChecking allows deserialization of data types specified by the input, which can be dangerous if accepting JSON from untrusted sources. This can let attackers control what objects get created during deserialization.

Impact

If exploited, an attacker could craft malicious JSON to instantiate unexpected or dangerous objects, potentially leading to arbitrary code execution, data tampering, or full system compromise. This threatens the security and integrity of your application and any connected systems.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	High
Impact Level	High
Likelihood Level	Medium

Description

Using the BinaryFormatter for serialization or deserialization is unsafe because it can process malicious data in ways that allow attackers to run arbitrary code. Even if the data seems trustworthy, BinaryFormatter cannot be secured against exploitation.

Impact

If exploited, an attacker could remotely execute code on your server or compromise sensitive data by sending crafted input to your application. This can lead to full system compromise, data breaches, and loss of control over the application environment.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.