@frangoteam/fuxa/.../fuxa@1.1.1 vulnerabilities

Web-based Process Visualization (SCADA/HMI/Dashboard) software

  • latest version

    1.2.2-1

  • first published

    3 years ago

  • latest version published

    16 hours ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the @frangoteam/fuxa package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Directory Traversal

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Directory Traversal via the /api/download endpoint. An attacker can execute arbitrary code on the local system by manipulating the file inclusion mechanism.

    How to fix Directory Traversal?

    Upgrade @frangoteam/fuxa to version 1.1.14 or higher.

    <1.1.14
    • H
    SQL Injection

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to SQL Injection via the HTTP POST id parameter passed in the body as JSON, due to improper user-input sanitization. An attacker can extract confidential information from the SQLite database by exploiting this vulnerability.

    How to fix SQL Injection?

    There is no fixed version for @frangoteam/fuxa.

    *
    • H
    Directory Traversal

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Directory Traversal via the fuxa.log file due to improper file sanitization. An attacker can read arbitrary files on the server by manipulating the file parameter to reference the desired file.

    How to fix Directory Traversal?

    There is no fixed version for @frangoteam/fuxa.

    *
    • H
    SQL Injection

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to SQL Injection via the /api/signin endpoint due to improper user-input sanitization. An attacker can manipulate the SQL query to gain unauthorized access or retrieve sensitive data by injecting malicious SQL code.

    How to fix SQL Injection?

    There is no fixed version for @frangoteam/fuxa.

    *
    • C
    Remote Code Execution (RCE)

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the /api/runscript endpoint. An attacker can execute arbitrary commands by sending a crafted POST request.

    How to fix Remote Code Execution (RCE)?

    There is no fixed version for @frangoteam/fuxa.

    >=0.0.0
    • H
    Server-side Request Forgery (SSRF)

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to obtain sensitive information from the server's internal environment and services.

    How to fix Server-side Request Forgery (SSRF)?

    There is no fixed version for @frangoteam/fuxa.

    *