Files
carmanagement/results/summaries/PCI_DSS_COMPLIANCE.md
2026-05-21 12:35:49 -04:00

5.4 KiB

PCI DSS 4.0 Compliance Report

Total Findings: 712 Requirements Affected: 5

Executive Summary

Severity Count
CRITICAL 1
HIGH 21
MEDIUM 59
LOW 9

Findings by PCI DSS Requirement

Requirement 6.2.4: Prevent XSS attacks in bespoke software

Priority: CRITICAL Findings: 3

  • MEDIUM: 3 findings

Top Findings:

  1. [MEDIUM] CVE-2026-44580 - Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

    • Location: package-lock.json:0
  2. [MEDIUM] CVE-2026-44581 - Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

    • Location: package-lock.json:0
  3. [MEDIUM] CVE-2026-41305 - postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags

    • Location: package-lock.json:0

Requirement 6.3.3: Security vulnerabilities are identified and managed

Priority: CRITICAL Findings: 671

  • CRITICAL: 1 findings
  • HIGH: 21 findings
  • MEDIUM: 18 findings

Top Findings:

  1. [LOW] CVE-2026-3449 - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A

    • Location: package-lock.json:0
  2. [HIGH] CVE-2026-44665 - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content

    • Location: package-lock.json:0
  3. [MEDIUM] CVE-2026-44664 - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM

    • Location: package-lock.json:0
  4. [HIGH] CVE-2025-47935 - Multer vulnerable to Denial of Service via memory leaks from unclosed streams

    • Location: package-lock.json:0
  5. [HIGH] CVE-2025-47944 - Multer vulnerable to Denial of Service from maliciously crafted requests

    • Location: package-lock.json:0

Requirement 8.2.1: Verify user identity before credential modification

Priority: HIGH Findings: 41

  • MEDIUM: 41 findings

Top Findings:

  1. [MEDIUM] Postgres - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432

    • Location: /scan/.env.docker.production.example:0
  2. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.env.local:0
  3. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.env.docker.dev:0
  4. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.env.docker.test:0
  5. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0

Requirement 8.3.2: Strong cryptography for authentication credentials

Priority: CRITICAL Findings: 41

  • MEDIUM: 41 findings

Top Findings:

  1. [MEDIUM] Postgres - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432

    • Location: /scan/.env.docker.production.example:0
  2. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.env.local:0
  3. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.env.docker.dev:0
  4. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.env.docker.test:0
  5. [MEDIUM] Postgres - postgresql://postgres:password@postgres:5432

    • Location: /scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0

Requirement 11.3.1: Internal vulnerability scans are performed

Priority: HIGH Findings: 671

  • CRITICAL: 1 findings
  • HIGH: 21 findings
  • MEDIUM: 18 findings

Top Findings:

  1. [LOW] CVE-2026-3449 - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A

    • Location: package-lock.json:0
  2. [HIGH] CVE-2026-44665 - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content

    • Location: package-lock.json:0
  3. [MEDIUM] CVE-2026-44664 - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM

    • Location: package-lock.json:0
  4. [HIGH] CVE-2025-47935 - Multer vulnerable to Denial of Service via memory leaks from unclosed streams

    • Location: package-lock.json:0
  5. [HIGH] CVE-2025-47944 - Multer vulnerable to Denial of Service from maliciously crafted requests

    • Location: package-lock.json:0

Recommendations

Critical Actions Required

The following PCI DSS requirements have CRITICAL findings that must be addressed immediately:

  1. Requirement 6.3.3: Security vulnerabilities are identified and managed

    • 1 CRITICAL findings
  2. Requirement 11.3.1: Internal vulnerability scans are performed

    • 1 CRITICAL findings

Compliance Status

  • Requirements Passed: N/A (manual validation required)
  • Requirements with Findings: 5
  • Requirements Not Tested: N/A (scope determined by organization)

Next Steps

  1. Remediate CRITICAL findings within 24 hours (per PCI DSS remediation SLAs)
  2. Remediate HIGH findings within 7 days
  3. Document compensating controls for accepted risks
  4. Re-scan after remediation to verify fixes
  5. Submit ASV scan report to Qualified Security Assessor (if applicable)

This report was generated by JMo Security Audit Tool Suite. Report generation date: Auto-generated