dkatzz
dkatzz
**Describe the bug** - Insufficient input sanitization in the 'Question Name' and 'Description' fields creates a reflected XSS vulnerability. This could allow admin users to inject malicious scripts like or...
**Describe the bug** Session cookies are not being destroyed after a user logs out. This means that compromised session data could be misused, undermining the expected security benefits of the...
**Describe the bug** By manipulating the program ID within the URL(https://staging-aws.civiform.dev/programs//review), applicants can access and submit previous versions of the application containing outdated formats or questions. **To Reproduce** Steps to...
#### Description Update the [TLS](https://github.com/civiform/cloud-deploy-infra/blob/eaeffb1c69a26490013e35c0a29ffcc302804130/cloud/aws/modules/pgadmin/main.tf#L20) [policy](https://github.com/civiform/cloud-deploy-infra/blob/eaeffb1c69a26490013e35c0a29ffcc302804130/cloud/aws/modules/ecs_fargate_service/variables.tf#L127) used by the load balancers (ELBSecurityPolicy-2016-08/default) to a [TLS 1.3](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html) security policy
#### Description There are a number of vulnerabilities (15 in the civiform/civiform image, 8 in the civiform/pgadmin image) due to outdated versions of dependencies referenced in the server build.sbt file,...
#### Description Based on security review, we should: - ensure data access by pgadmin is logged - follow the principle of least privilege to ensure people can only access the...
#### Description Based on security review - we should improve logging by enabling [ELB access logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb), [CloudTrail logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) and bucket access logging for all s3 buckets.
#### Description There are certain config values that make sense for a prod config vs a staging / demo config. It would be helpful to split https://github.com/civiform/civiform-deploy/blob/main/civiform_config.example.sh into a civiform_staging_config.example.sh...
#### Description We have auto generated server environment variables that are added to the docs (https://docs.civiform.us/it-manual/sre-playbook/upgrading-to-a-new-release/server-environment-variables), but we don't have the same thing for the deployment variables. Currently, in order...
**Describe the bug** For a program the city of Seattle is onboarding, there is some more advanced logic around when residents should see certain screens. See flow chart [here](https://app.mural.co/t/innovationandperformanceteam4349/m/innovationandperformancet[…]871ac673aa79d24660320fbe9ea5f?sender=u7f3482c9a5685121e8845225). In...