External Control of File Name or Path

Property
Languageruby
Severitymedium
CWECWE-73: External Control of File Name or Path
OWASPA04:2021 - Insecure Design
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Passing user-controlled input directly to the send_file method can let attackers request and download sensitive files from your server. Always validate or sanitize user input before using it with file-serving functions.

Impact

If exploited, an attacker could access files outside the intended directory, such as configuration files or application secrets, leading to data breaches or compromise of the entire server. This can expose sensitive information and put the application and its users at risk.

External Initialization of Trusted Variables or Data Stores

Property
Languagejava
Severitymedium
CWECWE-454: External Initialization of Trusted Variables or Data Stores
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

User input from HttpServletRequest is being used directly as environment variables in a Runtime.exec() command. This allows attackers to influence the environment of executed processes, which can lead to unexpected or malicious behavior.

Impact

An attacker could inject malicious values into environment variables, potentially altering the behavior of executed commands, stealing sensitive data, or escalating privileges. This could compromise application integrity and lead to broader system compromise.

File Inclusion

Property
Languagephp
Severitylow
CWECWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

Including files in PHP using variables that can be influenced by user input is unsafe. This allows attackers to specify which files are loaded, potentially exposing sensitive data or executing unwanted code. Always use a fixed list of files or thoroughly validate and sanitize all user input before including files.

Force destroy is enabled on Spaces bucket which is dangerous

Property
Languageterraform
Severitymedium
Servicespaces
ProviderDigitalOcean
Vulnerability Typemisconfiguration

Description

Configuring a DigitalOcean Spaces bucket with ‘force_destroy’ enabled allows the bucket to be deleted without checking if it contains any objects, bypassing safeguards against accidental data loss.

Impact

If exploited, all objects within the bucket could be permanently deleted—intentionally or by mistake—leading to loss of important data and potential disruption of services that depend on these stored assets.

Function Call With Incorrect Variable or Reference as Argument

Property
Languagesolidity
Severitycritical
CWECWE-688: Function Call With Incorrect Variable or Reference as Argument
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelHigh

Description

The transferFrom() function incorrectly handles allowance checks, allowing a user to spend tokens on behalf of other accounts without proper authorization. This flaw lets attackers exploit allowance logic to misuse or drain tokens from accounts that did not intend to approve them.

Impact

If exploited, an attacker could steal tokens from users by spending their allowances without permission, potentially leading to significant financial loss. This undermines trust in the contract and could result in large-scale theft or disruption of the token ecosystem.

Function Call With Incorrect Variable or Reference as Argument

Property
Languagesolidity
Severityhigh
CWECWE-688: Function Call With Incorrect Variable or Reference as Argument
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelHigh

Description

The ‘from’ parameter is incorrectly checked in the _allowances mapping, meaning the function verifies allowances for the wrong address. This can allow unauthorized token burns or prevent valid burns from occurring.

Impact

If exploited, attackers could burn tokens from accounts without proper approval or bypass intended permission checks, potentially leading to loss of user funds and undermining trust in the token contract.

Function policies should avoid use of wildcards and instead apply the principle of least privilege

Property
Languageterraform
Severityhigh
Servicesam
ProviderAWS

Description

You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

Resolution

Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

Generation of Error Message Containing Sensitive Information

Property
Languagecsharp
Severitymedium
CWECWE-209: Generation of Error Message Containing Sensitive Information
OWASPA06:2017 - Security Misconfiguration
Confidence LevelHigh
Impact LevelLow
Likelihood LevelLow

Description

The application is configured to show detailed stack traces to users even outside of a development environment. This exposes sensitive debug information that should not be visible in production.

Impact

If exploited, attackers can view internal error details that may reveal information about the application’s structure, technologies, or vulnerabilities. This information can aid in further attacks, increase the risk of data exposure, and damage the organization’s security posture.

Generation of Predictable IV with CBC Mode

Property
Languagejava
Severityhigh
CWECWE-329: Generation of Predictable IV with CBC Mode
OWASPA02:2021 - Cryptographic Failures
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The code uses a fixed or hardcoded initialization vector (IV) for block cipher encryption instead of generating a new random IV for each operation. This means identical plaintexts will always produce identical ciphertexts, reducing encryption effectiveness.

Impact

Attackers could detect patterns in encrypted data, allowing them to infer sensitive information or potentially decrypt messages. This weakens overall data confidentiality and can expose user data, violating security standards and putting both users and the organization at risk.

Generation of Predictable IV with CBC Mode

Property
Languagephp
Severityhigh
CWECWE-329: Generation of Predictable IV with CBC Mode
OWASPA02:2021 - Cryptographic Failures
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelHigh

Description

The code uses a static (hardcoded) initialization vector (IV) with AES encryption in CBC mode. This makes the encrypted data predictable and vulnerable to certain attacks, as the same IV is reused for multiple encryptions.

Impact

An attacker could exploit this to uncover patterns in the encrypted data or conduct chosen-plaintext attacks, potentially leading to sensitive information being exposed even if the encryption key remains secret. This weakens the overall security of the application and puts user data at risk.