奇安信CodeSafe

icon indicating a website link http://www.codesafe.cn/

Results 348 issues of 奇安信CodeSafe

Insecure Transport: Mail Transmission

https://github.com/XiaoMi/shepher/blob/53117572ee94c846922db9f86adb14372075f2cb/shepher-service/src/main/java/com/xiaomi/shepher/common/GeneralMailSender.java#L60-L68 Establishing an unencrypted connection to a mail server allows an attacker to carry out a man-in-the-middle attack and read all the mail transmissions. SSL/TLS connection is a better choice

反射型xss

您好: 我是奇安信代码卫士的工作人员,在我们的开源代码检测项目中发现shepher存在一处反射型xss漏洞和重定向漏洞,详细信息如下: ![图片](https://user-images.githubusercontent.com/39950310/56892238-9864a880-6ab1-11e9-95f8-7cbaa05efe22.png) 接收了请求中的referer请求头,而该请求头是不可信的,最后该参数用于重定向,且如果使用javascript://还可能导致xss漏洞

路径遍历漏洞

FileDownload.java中下载文件时未检验文件名,导致攻击者可能通过构造带有“../”的路径进行路径遍历,从而下载任意文件。 ![图片](https://user-images.githubusercontent.com/39950310/62280945-72b7b880-b47f-11e9-9dcc-4cbb6fbfde89.png)

There is a vulnerability in Spring Cloud 2.0.7.RELEASE,upgrade recommended

https://github.com/spring-cloud/spring-cloud-stream-binder-rabbit/blob/e60db263847aeff3076d1be9617f0476e383cf30/spring-cloud-stream-binder-rabbit/pom.xml#L45 CVE-2018-1272 Recommended upgrade version:2.0.8.RELEASE

Invalid struct tag

https://github.com/IBM/cloud-operators/blob/69106640983a0cb6c6aee287239c1d0aaada5177/api/v1/service_types.go#L85 https://github.com/IBM/cloud-operators/blob/69106640983a0cb6c6aee287239c1d0aaada5177/api/v1/service_types.go#L96 https://github.com/IBM/cloud-operators/blob/69106640983a0cb6c6aee287239c1d0aaada5177/api/v1/binding_types.go#L72 https://github.com/IBM/cloud-operators/blob/69106640983a0cb6c6aee287239c1d0aaada5177/api/v1/binding_types.go#L83 Ref: https://github.com/IBM/portieris/issues/276

Path Manipulation

https://github.com/Autodesk/aomi/blob/84da2dfb0424837adf9c4ddc1aa352e942bb7a4a/aomi/cli.py#L365 https://github.com/Autodesk/aomi/blob/84da2dfb0424837adf9c4ddc1aa352e942bb7a4a/aomi/helpers.py#L218 Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources

System Information Leak:Internal

We found a problem about System Information Leak:Internal in aomi-master/aomi/cli.py An internal information leak occurs when system data or debugging information is sent to a local file, console, or screen...

There is a vulnerability in node-forge 0.7.5,upgrade recommended

https://github.com/Autodesk/hig/blob/80680833679c324da5bb36cfe74f36c15c9672bc/acceptance/yarn.lock#L7188-L7190 CVE-2020-7720 Recommended upgrade version:0.10.0

There is a vulnerability in set-value 0.4.3,upgrade recommended

https://github.com/Autodesk/hig/blob/80680833679c324da5bb36cfe74f36c15c9672bc/acceptance/yarn.lock#L9499-L9502 CVE-2019-10747 Recommended upgrade version:2.0.1

There is a vulnerability in mixin-deep 1.3.1,upgrade recommended

https://github.com/Autodesk/hig/blob/80680833679c324da5bb36cfe74f36c15c9672bc/acceptance/yarn.lock#L7047-L7049 CVE-2019-10746 Recommended upgrade version:1.3.2