refractor code,
This commit is contained in:
@@ -0,0 +1,174 @@
|
||||
# PCI DSS 4.0 Compliance Report
|
||||
|
||||
**Total Findings:** 712
|
||||
**Requirements Affected:** 5
|
||||
|
||||
## Executive Summary
|
||||
|
||||
| Severity | Count |
|
||||
|----------|-------|
|
||||
| **CRITICAL** | 1 |
|
||||
| **HIGH** | 21 |
|
||||
| **MEDIUM** | 59 |
|
||||
| **LOW** | 9 |
|
||||
|
||||
## Findings by PCI DSS Requirement
|
||||
|
||||
### Requirement 6.2.4: Prevent XSS attacks in bespoke software
|
||||
|
||||
**Priority:** CRITICAL
|
||||
**Findings:** 3
|
||||
|
||||
- **MEDIUM**: 3 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[MEDIUM]** `CVE-2026-44580` - Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
2. **[MEDIUM]** `CVE-2026-44581` - Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
3. **[MEDIUM]** `CVE-2026-41305` - postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 6.3.3: Security vulnerabilities are identified and managed
|
||||
|
||||
**Priority:** CRITICAL
|
||||
**Findings:** 671
|
||||
|
||||
- **CRITICAL**: 1 findings
|
||||
- **HIGH**: 21 findings
|
||||
- **MEDIUM**: 18 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 8.2.1: Verify user identity before credential modification
|
||||
|
||||
**Priority:** HIGH
|
||||
**Findings:** 41
|
||||
|
||||
- **MEDIUM**: 41 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
|
||||
- Location: `/scan/.env.docker.production.example:0`
|
||||
|
||||
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.local:0`
|
||||
|
||||
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.dev:0`
|
||||
|
||||
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.test:0`
|
||||
|
||||
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 8.3.2: Strong cryptography for authentication credentials
|
||||
|
||||
**Priority:** CRITICAL
|
||||
**Findings:** 41
|
||||
|
||||
- **MEDIUM**: 41 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
|
||||
- Location: `/scan/.env.docker.production.example:0`
|
||||
|
||||
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.local:0`
|
||||
|
||||
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.dev:0`
|
||||
|
||||
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.test:0`
|
||||
|
||||
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 11.3.1: Internal vulnerability scans are performed
|
||||
|
||||
**Priority:** HIGH
|
||||
**Findings:** 671
|
||||
|
||||
- **CRITICAL**: 1 findings
|
||||
- **HIGH**: 21 findings
|
||||
- **MEDIUM**: 18 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
---
|
||||
|
||||
## Recommendations
|
||||
|
||||
### Critical Actions Required
|
||||
|
||||
The following PCI DSS requirements have CRITICAL findings that must be addressed immediately:
|
||||
|
||||
1. **Requirement 6.3.3**: Security vulnerabilities are identified and managed
|
||||
- 1 CRITICAL findings
|
||||
|
||||
1. **Requirement 11.3.1**: Internal vulnerability scans are performed
|
||||
- 1 CRITICAL findings
|
||||
|
||||
### Compliance Status
|
||||
|
||||
- **Requirements Passed**: N/A (manual validation required)
|
||||
- **Requirements with Findings**: 5
|
||||
- **Requirements Not Tested**: N/A (scope determined by organization)
|
||||
|
||||
### Next Steps
|
||||
|
||||
1. **Remediate CRITICAL findings** within 24 hours (per PCI DSS remediation SLAs)
|
||||
2. **Remediate HIGH findings** within 7 days
|
||||
3. **Document compensating controls** for accepted risks
|
||||
4. **Re-scan** after remediation to verify fixes
|
||||
5. **Submit ASV scan report** to Qualified Security Assessor (if applicable)
|
||||
|
||||
---
|
||||
|
||||
*This report was generated by JMo Security Audit Tool Suite.*
|
||||
*Report generation date: Auto-generated*
|
||||
Reference in New Issue
Block a user