https://github.com/caresmartsuits-eng/adminapplication-internal.git ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
JRN002 Browser storage is used for session token material |
medium | 12 |
AIC003 Duplicated implementation block across source files |
low | 9 |
MINED114 Admin endpoint without auth check |
critical | 5 |
MINED044 Js Console Log Prod |
info | 4 |
JRN009 Secret-like setting is echoed into a password input value |
high | 3 |
SEC020 Secret Printed to Logs |
high | 3 |
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 3 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 2 |
MINED056 React Key As Index |
info | 2 |
SEC041 Tabnabbing — target="_blank" without rel="noopener noreferr… |
medium | 1 |
MINED114
Admin endpoint without auth check
CWE-284CWE-862
backend/src/routes/configHeaders.routes.js:36
· conf 0.80
[MINED114] Admin endpoint without auth: POST /admin/config-headers/create: Express route on /admin path (/admin/config-headers/create) with no auth middleware.MINED114
Admin endpoint without auth check
CWE-284CWE-862
backend/src/routes/configHeaders.routes.js:66
· conf 0.80
[MINED114] Admin endpoint without auth: PUT /admin/config-headers/update/:id: Express route on /admin path (/admin/config-headers/update/:id) with no auth middleware.MINED114
Admin endpoint without auth check
CWE-284CWE-862
backend/src/routes/configs.routes.js:34
· conf 0.80
[MINED114] Admin endpoint without auth: POST /admin/configurations/create: Express route on /admin path (/admin/configurations/create) with no auth middleware.MINED114
Admin endpoint without auth check
CWE-284CWE-862
backend/src/routes/configs.routes.js:59
· conf 0.80
[MINED114] Admin endpoint without auth: PUT /admin/configurations/update/:id: Express route on /admin path (/admin/configurations/update/:id) with no auth middleware.MINED114
Admin endpoint without auth check
CWE-284CWE-862
backend/src/routes/users.routes.js:9
· conf 0.80
[MINED114] Admin endpoint without auth: POST /admin/create-user: Express route on /admin path (/admin/create-user) with no auth middleware.CORE_NO_TESTS
No test files found
No test files foundJRN009
Secret-like setting is echoed into a password input value
client/src/App.jsx:156
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
client/src/pages/features/users/CreateUser.jsx:118
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
client/src/pages/user/ResetPassword.jsx:125
· conf 0.83
Secret-like setting is echoed into a password input valueMINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
backend/src/routes/auth.routes.js:10
· conf 0.80
[MINED113] Express POST /login has no auth: Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
backend/src/routes/orders.routes.js:16
· conf 0.80
[MINED113] Express POST /orders/create has no auth: Express route POST /orders/create declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthen…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
backend/src/routes/orders.routes.js:74
· conf 0.80
[MINED113] Express PUT /orders/update/:id has no auth: Express route PUT /orders/update/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on un…SEC100
CORS permissive Access-Control-Allow-Origin: *
backendmongo/src/routes/orders.routes.js:16
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC135
Auth/permission check missing on AI-generated endpoint
backendmongo/src/routes/auth.routes.js:14
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
backend/src/routes/auth.routes.js:10
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundCORE_NO_README
No README file found
No README file foundJRN002
Browser storage is used for session token material
client/src/pages/admin/AdminDashboard.jsx:35
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/audits/AuditLogsList.jsx:20
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/configHeaders/ConfigHeadersList.jsx:11
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/configHeaders/CreateConfigHeader.jsx:17
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/configHeaders/UpdateConfigHeaderModal.jsx:12
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/configs/ConfigurationsList.jsx:31
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/configs/CreateConfiguration.jsx:21
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/configs/CreateConfiguration.jsx:58
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/orders/CreateOrder.jsx:32
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/orders/CreateOrder.jsx:47
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/orders/CreateOrder.jsx:71
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
client/src/pages/features/orders/CreateOrder.jsx:94
· conf 0.82
Browser storage is used for session token materialSEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
backendmongo/src/utils/axiosmailer.js:112
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…AIC003
Duplicated implementation block across source files
backendmongo/src/models/Configuration.js:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/features/configs/ConfigurationsList.jsx:106
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/features/configs/UpdateConfigurationModal.jsx:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/features/orders/OrdersList.jsx:223
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/features/orders/UpdateOrderModal.jsx:140
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/user/ForgotPassword.jsx:40
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/user/ResetPassword.jsx:66
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/user/ResetPassword.jsx:122
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/src/pages/user/UserDashboard.jsx:15
· conf 0.86
Duplicated implementation block across source filesCORE_NO_LICENSE
No LICENSE file
No LICENSE fileMINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
backend/src/audits.js:8
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
backend/src/db.js:6
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
backend/src/server.js:42
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED049
Print Pii
CWE-532
backendmongo/src/utils/nodemailer.js:76
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED053
Placeholder Default Username
CWE-1392CWE-798
client/src/App.jsx:3
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED056
React Key As Index
CWE-682
client/src/pages/features/audits/AuditLogsList.jsx:195
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
client/src/pages/features/configs/CreateConfiguration.jsx:115
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED065
Cors Wildcard
CWE-942CWE-346
backend/src/server.js:17
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.SEC020
Secret Printed to Logs
backendmongo/src/utils/nodemailer.js:40
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
client/src/pages/features/users/UpdatePassword.jsx:74
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
client/src/pages/user/ResetPassword.jsx:79
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/48db27c5-c23e-469b-b989-fa3903222026/.