Skip to content

Feature/cx fix#3

Open
cx-lucas-ferreira wants to merge 3 commits into
mainfrom
feature/cx-fix
Open

Feature/cx fix#3
cx-lucas-ferreira wants to merge 3 commits into
mainfrom
feature/cx-fix

Conversation

@cx-lucas-ferreira

Copy link
Copy Markdown
Contributor

update readme and requirements.txt

@checkmarx-gh-ast-us-povs

checkmarx-gh-ast-us-povs Bot commented Jun 23, 2026

Copy link
Copy Markdown

Logo
Checkmarx One – Scan Summary & Details701f591d-2a12-4274-954b-ad068223ad94


New Issues (52)

Critical: 3 · High: 22 · Medium: 22 · Low: 5

AI Triage*: Suspected False Positive 6 · View triage analysis

Checkmarx found the following issues in this Pull Request

# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL Stored_XSS backend/app.py: 139
detailsThe method embeds untrusted data in generated output with ReturnStmt, at line 141 of /backend/app.py. This untrusted data is embedded into the o...
Attack Vector
2 CRITICAL Stored_XSS backend/app.py: 138
detailsThe method embeds untrusted data in generated output with ReturnStmt, at line 141 of /backend/app.py. This untrusted data is embedded into the o...
Attack Vector
3 CRITICAL Stored_XSS backend/app.py: 137
detailsThe method embeds untrusted data in generated output with ReturnStmt, at line 141 of /backend/app.py. This untrusted data is embedded into the o...
Attack Vector
4 HIGH CVE-2020-7212 Python-urllib3-1.24.3
detailsDescription: The _encode_invalid_chars function in util/url.py in the urllib3 library 1.24 through 1.25.7 for Python allows a denial of service (CPU consumption...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
5 HIGH CVE-2021-33503 Python-urllib3-1.24.3
detailsDescription: An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority r...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
6 HIGH CVE-2023-25577 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited num...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
7 HIGH CVE-2023-30861 Python-Flask-1.1.4
detailsDescription: Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one cl...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
8 HIGH CVE-2023-43804 Python-urllib3-1.24.3
detailsDescription: urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managi...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
9 HIGH CVE-2023-46136 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of dat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
10 HIGH CVE-2023-50447 Python-pillow-10.0.0
detailsDescription: Pillow versions prior to 10.2.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CV...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
11 HIGH CVE-2024-28219 Python-pillow-10.0.0
detailsDescription: In "_imagingcms.c" in Pillow versions prior to 10.3.0, a Buffer Overflow exists because "strcpy" is used instead of "strncpy".
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
12 HIGH CVE-2024-34069 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions prior to 3.0.3 of Werkzeug can allow an attacker to exe...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
13 HIGH CVE-2024-3651 Python-idna-2.7
detailsDescription: A vulnerability was identified in the kjd/idna library, specifically within the "idna.encode()" function. The issue arises from the function's hand...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
14 HIGH CVE-2024-49767 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a ver...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
15 HIGH CVE-2024-6221 Python-Flask-Cors-4.0.0
detailsDescription: A vulnerability in Flask-Cors version 4.0.0a0 through 4.0.1 allows the '`Access-Control-Allow-Private-Network' CORS header to be set to true by def...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
16 HIGH CVE-2025-45768 Python-PyJWT-2.8.0
detailsDescription: The PyJWT was discovered to contain weak encryption.
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
17 HIGH CVE-2025-66418 Python-urllib3-1.24.3
detailsDescription: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
18 HIGH CVE-2025-66471 Python-urllib3-1.24.3
detailsDescription: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
19 HIGH CVE-2026-21441 Python-urllib3-1.24.3
detailsDescription: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
20 HIGH CVE-2026-32597 Python-PyJWT-2.8.0
detailsDescription: PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 75...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
21 HIGH CVE-2026-41066 Python-lxml-4.9.3
detailsDescription: Using either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files. This af...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
22 HIGH CVE-2026-44431 Python-urllib3-1.24.3
detailsDescription: When following cross-origin redirects for requests made using urllib3's high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and ...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
23 HIGH CVE-2026-48526 Python-PyJWT-2.8.0
detailsDescription: PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetri...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
24 HIGH CVE-2026-9375 Python-urllib3-1.24.3
detailsDescription: urllib3 versions through 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli suppor...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
25 HIGH Debug_Enabled backend/app.py: 148
detailsThe application source code includes true, in line 148 of /backend/app.py, which was left from development and debugging, and is not part of the i...
Attack Vector
26 MEDIUM CVE-2020-26137 Python-urllib3-1.24.3
detailsDescription: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control charac...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
27 MEDIUM CVE-2023-32681 Python-requests-2.20.0
detailsDescription: Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
28 MEDIUM CVE-2023-45803 Python-urllib3-1.24.3
detailsDescription: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response ...
Attack Vector: ADJACENT_NETWORK
Attack Complexity: HIGH
Vulnerable Package
29 MEDIUM CVE-2024-1681 Python-Flask-Cors-4.0.0
detailsDescription: The corydolphin/flask-cors is vulnerable to log injection when the log level is set to "debug". An attacker can inject fake log entries into the lo...
Attack Vector: NETWORK
Attack Complexity: LOW
Exploitable Path: init_app@/backend/app.py - ... - make_after_request_function@...tension.py
Vulnerable Package
30 MEDIUM CVE-2024-22195 Python-Jinja2-2.11.3
detailsDescription: Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to injec...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
31 MEDIUM CVE-2024-34064 Python-Jinja2-2.11.3
detailsDescription: Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
32 MEDIUM CVE-2024-35195 Python-requests-2.20.0
detailsDescription: Requests is an HTTP library. In the package requests versions prior to 2.32.0, when making requests through a Requests `Session`, if the first requ...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
33 MEDIUM CVE-2024-37891 Python-urllib3-1.24.3
detailsDescription: urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
34 MEDIUM CVE-2024-47081 Python-requests-2.20.0
detailsDescription: Requests is an HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak ".netrc" credentials to third parties for speci...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
35 MEDIUM CVE-2024-49766 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, "os.path.isabs()" does not catch UNC paths like "/...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
36 MEDIUM CVE-2024-56326 Python-Jinja2-2.11.3
detailsDescription: Jinja is an extensible templating engine. In affected versions, an oversight in how the Jinja sandboxed environment detects calls to `str.format` a...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
37 MEDIUM CVE-2025-27516 Python-Jinja2-2.11.3
detailsDescription: Jinja is an extensible templating engine. In Jinja2 versions prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
38 MEDIUM CVE-2025-50181 Python-urllib3-1.24.3
detailsDescription: The package urllib3 is a user-friendly HTTP client library for Python. In versions prior to 2.5.0, it is possible to disable redirects for all requ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
39 MEDIUM CVE-2025-66221 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's "safe_join" function allows path segments with Windows...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
40 MEDIUM CVE-2025-9714 Python-lxml-4.9.3
detailsDescription: Uncontrolled recursion in XPath evaluation in libxml2 versions through 2.9.14 allow a local attacker to cause a Stack Overflow via crafted expressi...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
41 MEDIUM CVE-2026-21860 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's "safe_join()" function allows path segments with Windo...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
42 MEDIUM CVE-2026-25645 Python-requests-2.20.0
detailsDescription: Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when ...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
43 MEDIUM CVE-2026-27199 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. In versions through 3.1.5, the "safe_join" function allows Windows device names as filena...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
44 MEDIUM CVE-2026-28684 Python-python-dotenv-0.10.0
detailsDescription: python-dotenv reads key-value pairs from a `.env` file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_ke...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
45 MEDIUM CVE-2026-42308 Python-pillow-10.0.0
detailsDescription: Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps trac...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
46 MEDIUM CVE-2026-42310 Python-pillow-10.0.0
detailsDescription: Pillow is a Python imaging library. From version 4.2.0 prior to 12.2.0, an attacker can supply a malicious PDF that causes the process to hang inde...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
47 MEDIUM Missing_HSTS_Header backend/app.py: 20
detailsThe web-application does not define an HSTS header, leaving it vulnerable to attack.
Attack Vector
48 LOW CVE-2023-23934 Python-Werkzeug-1.0.1
detailsDescription: Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like "=value" instead of "key=value". A v...
Attack Vector: ADJACENT_NETWORK
Attack Complexity: LOW
Vulnerable Package
49 LOW CVE-2025-6170 Python-lxml-4.9.3
detailsDescription: A flaw was found in the interactive shell of the xmllint tool in libxml2, used for parsing XML files. When a user inputs an overly long command, th...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
50 LOW CVE-2026-27205 Python-Flask-1.1.4
detailsDescription: Flask is a web server gateway interface (WSGI) web application framework. In versions through 3.1.2, when the session object is accessed, Flask sho...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
51 LOW Missing_Content_Security_Policy backend/app.py: 20
detailsA Content Security Policy is not explicitly defined within the web-application.
Attack Vector
52 LOW Missing_Content_Security_Policy backend/app.py: 84
detailsA Content Security Policy is not explicitly defined within the web-application.
Attack Vector

*AI agents that triage & remediate new issues in your PR scan. Learn more

Use @Checkmarx to interact with Checkmarx PR Assistant. New: ask the AI agent for remediation and automatically create a new pull request.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR
@Checkmarx remediate issues 1, 2, 7

@checkmarx-gh-ast-us-povs

Copy link
Copy Markdown

Logo
Checkmarx One – AI Triage701f591d-2a12-4274-954b-ad068223ad94


1. Stored_XSS · Critical

Triage context: Reachable · Not Exploitable

The vulnerability is admin-scoped (admin_dashboard at /admin route) and does not cross a security boundary. It does not enable privilege escalation or impact other users beyond the admin context, making it not exploitable according to the admin-only/no boundary crossing criteria.


2. Stored_XSS · Critical

Triage context: Reachable · Exploitable

The vulnerability is exploitable as confirmed by the scanner. Despite Flask's default auto-escaping, the scanner identified this as a Stored XSS vulnerability, indicating auto-escaping is disabled or bypassed. Stored XSS crosses security boundaries by enabling session theft, account takeover, and impacts on other users accessing the admin page.


3. Stored_XSS · Critical

Triage context: Reachable · Not Exploitable

The vulnerability exists in an admin interface ('admin.html' template). While technically exploitable, it requires admin access to inject payloads and only affects other admin users viewing the admin panel, representing admin-scoped impact without crossing security boundaries.


4. CVE-2020-7212 · High · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

urllib3 is installed as a transitive dependency but is never imported or used in the accessible codebase. No code paths invoke urllib3 functions or the vulnerable _encode_invalid_chars method, making the vulnerability unreachable.


5. CVE-2021-33503 · High · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

urllib3 and requests are not imported or used in the application code. No HTTP request operations or URL parsing functions exist, meaning the vulnerable authority parsing regex in urllib3 cannot be invoked.


6. CVE-2023-25577 · High · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The vulnerable Werkzeug multipart parser is not invoked by any existing routes. The three implemented endpoints only return JSON and perform database queries without accessing request.data, request.form, or request.files. Blueprint modules that would handle file uploads are referenced but not implemented in the codebase.


7. CVE-2023-30861 · High · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The vulnerable code path is not reachable because the application does not use Flask's session mechanism. The session object is never imported or used, and the application relies on JWT-based authentication instead. The critical precondition session.permanent = True is never set.


8. CVE-2023-43804 · High · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

urllib3 exists as a transitive dependency but is never imported or used. The application makes no outbound HTTP requests—it only processes incoming Flask requests. No code path can reach the vulnerable urllib3 functionality.


9. CVE-2023-46136 · High

Triage context: Reachable · Exploitable

The vulnerability is exploitable due to complete absence of protective controls (no MAX_CONTENT_LENGTH, FORM_MEMORY, rate limiting, or timeouts). CORS allows all origins without authentication, and the CVE-2023-46136 exploit pattern (CR/LF followed by megabytes without boundaries) is straightforward to execute, causing CPU exhaustion and worker process blocking.


10. CVE-2023-50447 · High · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

PIL.ImageMath.eval is never imported or called in the application codebase. Despite Pillow being a direct dependency, no image processing functionality or PIL-related imports exist in the application.


Use @Checkmarx to interact with Checkmarx PR Assistant. New: ask the AI agent for remediation and automatically create a new pull request.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx remediate issues 1, 2, 7

@cx-lucas-ferreira

Copy link
Copy Markdown
Contributor Author

@Checkmarx fix issues 2 and 9

@checkmarx-gh-ast-us-povs

Copy link
Copy Markdown

@Checkmarx fix issues 2 and 9

Great! I've initiated fixes for both vulnerabilities:

Vulnerability 2 - Stored_XSS (Critical severity)

  • Fix has been initiated and a pull request will be created with the remediation once ready

Vulnerability 9 - CVE-2023-46136 (High severity)

  • Fix has been initiated and a pull request will be created with the remediation once ready

You'll receive notifications when the pull requests are ready for review. The automated fixes will include the necessary code changes to address these security issues.

@checkmarx-gh-ast-us-povs

Copy link
Copy Markdown

@Checkmarx fix issues 2 and 9

Pull request #4 has been created for the CVE-2023-46136 (High) vulnerability.

@checkmarx-gh-ast-us-povs

Copy link
Copy Markdown

@Checkmarx fix issues 2 and 9

Pull request #5 has been created for the Stored_XSS (Critical) vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant