175 lines
5.4 KiB
Markdown
175 lines
5.4 KiB
Markdown
# PCI DSS 4.0 Compliance Report
|
|
|
|
**Total Findings:** 712
|
|
**Requirements Affected:** 5
|
|
|
|
## Executive Summary
|
|
|
|
| Severity | Count |
|
|
|----------|-------|
|
|
| **CRITICAL** | 1 |
|
|
| **HIGH** | 21 |
|
|
| **MEDIUM** | 59 |
|
|
| **LOW** | 9 |
|
|
|
|
## Findings by PCI DSS Requirement
|
|
|
|
### Requirement 6.2.4: Prevent XSS attacks in bespoke software
|
|
|
|
**Priority:** CRITICAL
|
|
**Findings:** 3
|
|
|
|
- **MEDIUM**: 3 findings
|
|
|
|
**Top Findings:**
|
|
|
|
1. **[MEDIUM]** `CVE-2026-44580` - Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
|
|
- Location: `package-lock.json:0`
|
|
|
|
2. **[MEDIUM]** `CVE-2026-44581` - Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
|
|
- Location: `package-lock.json:0`
|
|
|
|
3. **[MEDIUM]** `CVE-2026-41305` - postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
|
|
- Location: `package-lock.json:0`
|
|
|
|
---
|
|
|
|
### Requirement 6.3.3: Security vulnerabilities are identified and managed
|
|
|
|
**Priority:** CRITICAL
|
|
**Findings:** 671
|
|
|
|
- **CRITICAL**: 1 findings
|
|
- **HIGH**: 21 findings
|
|
- **MEDIUM**: 18 findings
|
|
|
|
**Top Findings:**
|
|
|
|
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
|
|
- Location: `package-lock.json:0`
|
|
|
|
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
|
|
- Location: `package-lock.json:0`
|
|
|
|
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
|
|
- Location: `package-lock.json:0`
|
|
|
|
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
|
|
- Location: `package-lock.json:0`
|
|
|
|
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
|
|
- Location: `package-lock.json:0`
|
|
|
|
---
|
|
|
|
### Requirement 8.2.1: Verify user identity before credential modification
|
|
|
|
**Priority:** HIGH
|
|
**Findings:** 41
|
|
|
|
- **MEDIUM**: 41 findings
|
|
|
|
**Top Findings:**
|
|
|
|
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
|
|
- Location: `/scan/.env.docker.production.example:0`
|
|
|
|
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.env.local:0`
|
|
|
|
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.env.docker.dev:0`
|
|
|
|
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.env.docker.test:0`
|
|
|
|
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
|
|
|
|
---
|
|
|
|
### Requirement 8.3.2: Strong cryptography for authentication credentials
|
|
|
|
**Priority:** CRITICAL
|
|
**Findings:** 41
|
|
|
|
- **MEDIUM**: 41 findings
|
|
|
|
**Top Findings:**
|
|
|
|
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
|
|
- Location: `/scan/.env.docker.production.example:0`
|
|
|
|
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.env.local:0`
|
|
|
|
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.env.docker.dev:0`
|
|
|
|
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.env.docker.test:0`
|
|
|
|
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
|
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
|
|
|
|
---
|
|
|
|
### Requirement 11.3.1: Internal vulnerability scans are performed
|
|
|
|
**Priority:** HIGH
|
|
**Findings:** 671
|
|
|
|
- **CRITICAL**: 1 findings
|
|
- **HIGH**: 21 findings
|
|
- **MEDIUM**: 18 findings
|
|
|
|
**Top Findings:**
|
|
|
|
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
|
|
- Location: `package-lock.json:0`
|
|
|
|
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
|
|
- Location: `package-lock.json:0`
|
|
|
|
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
|
|
- Location: `package-lock.json:0`
|
|
|
|
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
|
|
- Location: `package-lock.json:0`
|
|
|
|
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
|
|
- Location: `package-lock.json:0`
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
### Critical Actions Required
|
|
|
|
The following PCI DSS requirements have CRITICAL findings that must be addressed immediately:
|
|
|
|
1. **Requirement 6.3.3**: Security vulnerabilities are identified and managed
|
|
- 1 CRITICAL findings
|
|
|
|
1. **Requirement 11.3.1**: Internal vulnerability scans are performed
|
|
- 1 CRITICAL findings
|
|
|
|
### Compliance Status
|
|
|
|
- **Requirements Passed**: N/A (manual validation required)
|
|
- **Requirements with Findings**: 5
|
|
- **Requirements Not Tested**: N/A (scope determined by organization)
|
|
|
|
### Next Steps
|
|
|
|
1. **Remediate CRITICAL findings** within 24 hours (per PCI DSS remediation SLAs)
|
|
2. **Remediate HIGH findings** within 7 days
|
|
3. **Document compensating controls** for accepted risks
|
|
4. **Re-scan** after remediation to verify fixes
|
|
5. **Submit ASV scan report** to Qualified Security Assessor (if applicable)
|
|
|
|
---
|
|
|
|
*This report was generated by JMo Security Audit Tool Suite.*
|
|
*Report generation date: Auto-generated*
|