Track and manage security vulnerabilities across all your pentests.
SQL Injection in User Authentication
An SQL injection vulnerability exists in the user authentication endpoint. User-supplied input is directly concatenated into SQL queries without proper sanitization, allowing attackers to bypass authentication or extract sensitive data from the database.
Cross-Site Scripting (XSS) in Comments
A stored XSS vulnerability exists in the comments functionality. User-submitted comments are rendered without proper HTML encoding, allowing injection of malicious JavaScript that executes in other users' browsers.
Insecure Direct Object Reference (IDOR)
The API endpoint for retrieving user documents does not verify that the requesting user has permission to access the requested document ID, allowing any authenticated user to access any document.
Hardcoded API Key in Source Code
A third-party API key is hardcoded in the source code. This key could be extracted by anyone with access to the codebase or client-side bundle.
Missing Rate Limiting on Login Endpoint
The login endpoint does not implement rate limiting, making it vulnerable to brute force attacks and credential stuffing.
Verbose Error Messages Exposing Stack Traces
The application returns detailed error messages including stack traces in production, potentially revealing sensitive information about the application architecture.