Files
carmanagement/results/summaries/PCI_DSS_COMPLIANCE.md
2026-05-21 12:35:49 -04:00

175 lines
5.4 KiB
Markdown

# PCI DSS 4.0 Compliance Report
**Total Findings:** 712
**Requirements Affected:** 5
## Executive Summary
| Severity | Count |
|----------|-------|
| **CRITICAL** | 1 |
| **HIGH** | 21 |
| **MEDIUM** | 59 |
| **LOW** | 9 |
## Findings by PCI DSS Requirement
### Requirement 6.2.4: Prevent XSS attacks in bespoke software
**Priority:** CRITICAL
**Findings:** 3
- **MEDIUM**: 3 findings
**Top Findings:**
1. **[MEDIUM]** `CVE-2026-44580` - Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
- Location: `package-lock.json:0`
2. **[MEDIUM]** `CVE-2026-44581` - Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
- Location: `package-lock.json:0`
3. **[MEDIUM]** `CVE-2026-41305` - postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
- Location: `package-lock.json:0`
---
### Requirement 6.3.3: Security vulnerabilities are identified and managed
**Priority:** CRITICAL
**Findings:** 671
- **CRITICAL**: 1 findings
- **HIGH**: 21 findings
- **MEDIUM**: 18 findings
**Top Findings:**
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
- Location: `package-lock.json:0`
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
- Location: `package-lock.json:0`
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
- Location: `package-lock.json:0`
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
- Location: `package-lock.json:0`
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
- Location: `package-lock.json:0`
---
### Requirement 8.2.1: Verify user identity before credential modification
**Priority:** HIGH
**Findings:** 41
- **MEDIUM**: 41 findings
**Top Findings:**
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
- Location: `/scan/.env.docker.production.example:0`
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.env.local:0`
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.env.docker.dev:0`
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.env.docker.test:0`
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
---
### Requirement 8.3.2: Strong cryptography for authentication credentials
**Priority:** CRITICAL
**Findings:** 41
- **MEDIUM**: 41 findings
**Top Findings:**
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
- Location: `/scan/.env.docker.production.example:0`
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.env.local:0`
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.env.docker.dev:0`
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.env.docker.test:0`
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
---
### Requirement 11.3.1: Internal vulnerability scans are performed
**Priority:** HIGH
**Findings:** 671
- **CRITICAL**: 1 findings
- **HIGH**: 21 findings
- **MEDIUM**: 18 findings
**Top Findings:**
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
- Location: `package-lock.json:0`
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
- Location: `package-lock.json:0`
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
- Location: `package-lock.json:0`
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
- Location: `package-lock.json:0`
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
- Location: `package-lock.json:0`
---
## Recommendations
### Critical Actions Required
The following PCI DSS requirements have CRITICAL findings that must be addressed immediately:
1. **Requirement 6.3.3**: Security vulnerabilities are identified and managed
- 1 CRITICAL findings
1. **Requirement 11.3.1**: Internal vulnerability scans are performed
- 1 CRITICAL findings
### Compliance Status
- **Requirements Passed**: N/A (manual validation required)
- **Requirements with Findings**: 5
- **Requirements Not Tested**: N/A (scope determined by organization)
### Next Steps
1. **Remediate CRITICAL findings** within 24 hours (per PCI DSS remediation SLAs)
2. **Remediate HIGH findings** within 7 days
3. **Document compensating controls** for accepted risks
4. **Re-scan** after remediation to verify fixes
5. **Submit ASV scan report** to Qualified Security Assessor (if applicable)
---
*This report was generated by JMo Security Audit Tool Suite.*
*Report generation date: Auto-generated*