Homepage

@frangoteam/fuxa@1.3.0

Web-based Process Visualization (SCADA/HMI/Dashboard) software

  • latest version

    1.3.1

  • first published

    5 years ago

  • latest version published

    15 days ago

  • licenses detected

  • View fuxa package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @frangoteam/fuxa package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Directory Traversal

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Directory Traversal due to the improper sanitization of nested traversal sequences (e.g., ....//) in multiple API endpoints. An attacker can gain full system control by uploading malicious scripts to sensitive directories and triggering their execution when the server reloads these scripts.

    How to fix Directory Traversal?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Missing Authorization

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authorization in the scheduler endpoint. An attacker can gain unauthorized access to create, modify, or delete schedules by sending crafted requests to the server. This can result in forcing connected devices to specific states, values, or executing existing scripts remotely.

    How to fix Missing Authorization?

    A fix was pushed into the master branch but not yet published.

    >=1.2.8
    • C
    Missing Authentication for Critical Function

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the /nodered/flows endpoint when the Node-RED plugin is enabled. An attacker can gain administrative access and execute arbitrary code on the server by submitting a specially crafted flow configuration.

    How to fix Missing Authentication for Critical Function?

    A fix was pushed into the master branch but not yet published.

    >=1.2.8
    • H
    SQL Injection

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to SQL Injection via the HTTP POST id parameter passed in the body as JSON, due to improper user-input sanitization. An attacker can extract confidential information from the SQLite database by exploiting this vulnerability.

    How to fix SQL Injection?

    There is no fixed version for @frangoteam/fuxa.

    *
    • H
    Directory Traversal

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Directory Traversal via the fuxa.log file due to improper file sanitization. An attacker can read arbitrary files on the server by manipulating the file parameter to reference the desired file.

    How to fix Directory Traversal?

    There is no fixed version for @frangoteam/fuxa.

    *
    • H
    SQL Injection

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to SQL Injection via the /api/signin endpoint due to improper user-input sanitization. An attacker can manipulate the SQL query to gain unauthorized access or retrieve sensitive data by injecting malicious SQL code.

    How to fix SQL Injection?

    There is no fixed version for @frangoteam/fuxa.

    *
    • C
    Remote Code Execution (RCE)

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the /api/runscript endpoint. An attacker can execute arbitrary commands by sending a crafted POST request.

    How to fix Remote Code Execution (RCE)?

    There is no fixed version for @frangoteam/fuxa.

    >=0.0.0
    • H
    Server-side Request Forgery (SSRF)

    @frangoteam/fuxa is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to obtain sensitive information from the server's internal environment and services.

    How to fix Server-side Request Forgery (SSRF)?

    There is no fixed version for @frangoteam/fuxa.

    *
    Go back to all versions of this package