Skip to content

fix: security vulnerabilities (Trust scan a717d36b)#376

Open
Jaden-JJH wants to merge 9 commits intoOWASP:masterfrom
Jaden-JJH:trust-security/fix-a717d36b
Open

fix: security vulnerabilities (Trust scan a717d36b)#376
Jaden-JJH wants to merge 9 commits intoOWASP:masterfrom
Jaden-JJH:trust-security/fix-a717d36b

Conversation

@Jaden-JJH
Copy link
Copy Markdown

@Jaden-JJH Jaden-JJH commented Mar 4, 2026

Security Fixes by Trust Security

Scan ID: a717d36b-ab8b-4137-8650-e97b1c2af07c
Score: 1/100 (Grade F)

Fixed Vulnerabilities (34)

  • [CRITICAL] Arbitrary Code Execution in underscore (package.json)
  • [CRITICAL] Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (artifacts/cert/server.key)
  • [HIGH] Race Condition in Grunt (package.json)
  • [HIGH] Denial of Service in mongodb (package.json)
  • [HIGH] body-parser vulnerable to denial of service when url encoding is enabled (package.json)
  • [HIGH] Detected Private Key (CWE-798) (artifacts/cert/server.key)
  • [HIGH] Detected Bcrypt Hash (CWE-798) (artifacts/db-reset.js)
  • [HIGH] Code String Concat (CWE-95) (app/routes/contributions.js)
  • [HIGH] Regular Expression Denial of Service in marked (package.json)
  • [HIGH] Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (config/env/development.js)
  • [HIGH] Arbitrary Code Execution in grunt (package.json)
  • [HIGH] Inefficient Regular Expression Complexity in marked (package.json)
  • [HIGH] Arbitrary local file read vulnerability during template rendering (package.json)
  • [HIGH] Inefficient Regular Expression Complexity in marked (package.json)
  • [LOW] express vulnerable to XSS via response.redirect() (package.json)
  • [LOW] Express Check Csurf Middleware Usage (CWE-352) (server.js)
  • [MEDIUM] Eval Detected (CWE-95) (app/routes/contributions.js)
  • [MEDIUM] Express Cookie Session Default Name (CWE-522) (server.js)
  • [MEDIUM] Django No Csrf Token (CWE-352) (app/views/benefits.html)
  • [MEDIUM] Express Cookie Session No Httponly (CWE-522) (server.js)
  • [MEDIUM] Using Http Server (CWE-319) (server.js)
  • [MEDIUM] Plaintext Http Link (CWE-319) (app/views/tutorial/a2.html)
  • [MEDIUM] No New Privileges (CWE-732) (docker-compose.yml)
  • [MEDIUM] Writable Filesystem Service (CWE-732) (docker-compose.yml)
  • [MEDIUM] Express Cookie Session No Domain (CWE-522) (server.js)
  • [MEDIUM] Express Cookie Session No Path (CWE-522) (server.js)
  • [MEDIUM] Express.js Open Redirect in malformed URLs (package.json)
  • [MEDIUM] Express Cookie Session No Expires (CWE-522) (server.js)
  • [MEDIUM] Marked allows Regular Expression Denial of Service (ReDoS) attacks (package.json)
  • [MEDIUM] Express Cookie Session No Secure (CWE-522) (server.js)
  • [MEDIUM] Sanitization bypass using HTML Entities in marked (package.json)
  • [MEDIUM] Path Traversal in Grunt (package.json)
  • [MEDIUM] Express Open Redirect (CWE-601) (app/routes/index.js)
  • [MEDIUM] Marked vulnerable to XSS from data URIs (package.json)

Generated by Trust Security

Jaden-JJH added 9 commits March 4, 2026 18:03
@Jaden-JJH
fix: Arbitrary Code Execution in underscore, Race Condition in Grunt,…
b1f3350 
… Denial of Service in mongodb, body-parser vulnerable to denial of service when url encodin, Inefficient Regular Expression Complexity in marked, Arbitrary local file read vulnerability during template rend, Express.js Open Redirect in malformed URLs
@Jaden-JJH
fix: Identified a Private Key, which may compromise cryptographic, De…
39d5461 
…tected Private Key (CWE-798)
@Jaden-JJH
fix: Detected Bcrypt Hash (CWE-798)
9bba58e
@Jaden-JJH
fix: Code String Concat (CWE-95), Eval Detected (CWE-95)
1dfb33a
@Jaden-JJH
fix: Express Check Csurf Middleware Usage (CWE-352), Express Cookie S…
87d9ebe 
…ession Default Name (CWE-522), Express Cookie Session No Httponly (CWE-522), Using Http Server (CWE-319), Express Cookie Session No Domain (CWE-522), Express Cookie Session No Path (CWE-522), Express Cookie Session No Expires (CWE-522), Express Cookie Session No Secure (CWE-522)
@Jaden-JJH
fix: Django No Csrf Token (CWE-352)
2a146c2
@Jaden-JJH
fix: Plaintext Http Link (CWE-319)
70cba05
@Jaden-JJH
fix: No New Privileges (CWE-732), Writable Filesystem Service (CWE-732)
8fd5a83
@Jaden-JJH
fix: Express Open Redirect (CWE-601)
c408260
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jaden-JJH