@frangoteam/fuxa 1.2.7

Direct Vulnerabilities

Known vulnerabilities in the @frangoteam/fuxa package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Use of Hard-coded Cryptographic Key @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the authentication process when a static fallback JWT signing secret is used if no custom secret is configured. An attacker can gain unauthorized access by forging valid JWT tokens using the known default secret. How to fix Use of Hard-coded Cryptographic Key? Upgrade `@frangoteam/fuxa` to version 1.3.0 or higher.	<1.3.0
C Missing Authentication for Critical Function @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the `upload` API. An attacker can overwrite arbitrary files on the server filesystem by sending crafted requests, potentially leading to execution of malicious code if critical files such as application code, startup scripts, or configuration files are replaced. This can result in full system compromise, especially if overwritten files are executed or loaded by the application or operating system. How to fix Missing Authentication for Critical Function? Upgrade `@frangoteam/fuxa` to version 1.2.10 or higher.	<1.2.10
H Directory Traversal @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Directory Traversal due to the improper sanitization of nested traversal sequences (e.g., `....//`) in multiple API endpoints. An attacker can gain full system control by uploading malicious scripts to sensitive directories and triggering their execution when the server reloads these scripts. How to fix Directory Traversal? A fix was pushed into the `master` branch but not yet published.	*
C Insecure Default Initialization of Resource @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to the use of a hardcoded JWT secret in the default configuration. An attacker can gain administrative access and execute arbitrary code by forging authentication tokens and interacting with administrative APIs. How to fix Insecure Default Initialization of Resource? Upgrade `@frangoteam/fuxa` to version 1.2.10 or higher.	<1.2.10
C Improper Authentication @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Improper Authentication via the authentication process. An attacker can gain administrative access and execute arbitrary code by bypassing authentication mechanisms and interacting with administrative APIs. Note: This is only exploitable if `runtime.settings.secureEnabled` is set to `true`. How to fix Improper Authentication? Upgrade `@frangoteam/fuxa` to version 1.2.10 or higher.	<1.2.10
H SQL Injection @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to SQL Injection via the `HTTP POST id` parameter passed in the body as JSON, due to improper user-input sanitization. An attacker can extract confidential information from the SQLite database by exploiting this vulnerability. How to fix SQL Injection? There is no fixed version for `@frangoteam/fuxa`.	*
H Directory Traversal @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Directory Traversal via the `fuxa.log` file due to improper file sanitization. An attacker can read arbitrary files on the server by manipulating the file parameter to reference the desired file. How to fix Directory Traversal? There is no fixed version for `@frangoteam/fuxa`.	*
H SQL Injection @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to SQL Injection via the `/api/signin` endpoint due to improper user-input sanitization. An attacker can manipulate the SQL query to gain unauthorized access or retrieve sensitive data by injecting malicious SQL code. How to fix SQL Injection? There is no fixed version for `@frangoteam/fuxa`.	*
C Remote Code Execution (RCE) @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the `/api/runscript` endpoint. An attacker can execute arbitrary commands by sending a crafted POST request. How to fix Remote Code Execution (RCE)? There is no fixed version for `@frangoteam/fuxa`.	>=0.0.0
H Server-side Request Forgery (SSRF) @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to obtain sensitive information from the server's internal environment and services. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `@frangoteam/fuxa`.	*

Vulnerability

Vulnerable Version

Use of Hard-coded Cryptographic Key

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the authentication process when a static fallback JWT signing secret is used if no custom secret is configured. An attacker can gain unauthorized access by forging valid JWT tokens using the known default secret.

How to fix Use of Hard-coded Cryptographic Key?

Upgrade @frangoteam/fuxa to version 1.3.0 or higher.

<1.3.0

Missing Authentication for Critical Function

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the upload API. An attacker can overwrite arbitrary files on the server filesystem by sending crafted requests, potentially leading to execution of malicious code if critical files such as application code, startup scripts, or configuration files are replaced. This can result in full system compromise, especially if overwritten files are executed or loaded by the application or operating system.

How to fix Missing Authentication for Critical Function?

Upgrade @frangoteam/fuxa to version 1.2.10 or higher.

<1.2.10

Directory Traversal

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Directory Traversal due to the improper sanitization of nested traversal sequences (e.g., ....//) in multiple API endpoints. An attacker can gain full system control by uploading malicious scripts to sensitive directories and triggering their execution when the server reloads these scripts.

How to fix Directory Traversal?

A fix was pushed into the master branch but not yet published.

Insecure Default Initialization of Resource

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to the use of a hardcoded JWT secret in the default configuration. An attacker can gain administrative access and execute arbitrary code by forging authentication tokens and interacting with administrative APIs.

How to fix Insecure Default Initialization of Resource?

Upgrade @frangoteam/fuxa to version 1.2.10 or higher.

<1.2.10

Improper Authentication

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Improper Authentication via the authentication process. An attacker can gain administrative access and execute arbitrary code by bypassing authentication mechanisms and interacting with administrative APIs.

Note: This is only exploitable if runtime.settings.secureEnabled is set to true.

How to fix Improper Authentication?

Upgrade @frangoteam/fuxa to version 1.2.10 or higher.

<1.2.10

SQL Injection

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to SQL Injection via the HTTP POST id parameter passed in the body as JSON, due to improper user-input sanitization. An attacker can extract confidential information from the SQLite database by exploiting this vulnerability.

How to fix SQL Injection?

There is no fixed version for @frangoteam/fuxa.

Directory Traversal

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Directory Traversal via the fuxa.log file due to improper file sanitization. An attacker can read arbitrary files on the server by manipulating the file parameter to reference the desired file.

How to fix Directory Traversal?

There is no fixed version for @frangoteam/fuxa.

SQL Injection

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to SQL Injection via the /api/signin endpoint due to improper user-input sanitization. An attacker can manipulate the SQL query to gain unauthorized access or retrieve sensitive data by injecting malicious SQL code.

How to fix SQL Injection?

There is no fixed version for @frangoteam/fuxa.

Remote Code Execution (RCE)

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the /api/runscript endpoint. An attacker can execute arbitrary commands by sending a crafted POST request.

How to fix Remote Code Execution (RCE)?

There is no fixed version for @frangoteam/fuxa.

>=0.0.0

Server-side Request Forgery (SSRF)

@frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to obtain sensitive information from the server's internal environment and services.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for @frangoteam/fuxa.

@frangoteam/fuxa@1.2.7

Web-based Process Visualization (SCADA/HMI/Dashboard) software

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically