Homepage

fuxa-server@1.1.14-1243 vulnerabilities

Web-based Process Visualization (SCADA/HMI/Dashboard) software

  • latest version

    1.1.14-1243

  • first published

    2 years ago

  • latest version published

    2 years ago

  • licenses detected

  • View fuxa-server package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the fuxa-server package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Missing Authorization

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authorization in the scheduler endpoint. An attacker can gain unauthorized access to create, modify, or delete schedules by sending crafted requests to the server. This can result in forcing connected devices to specific states, values, or executing existing scripts remotely.

    How to fix Missing Authorization?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Missing Authentication for Critical Function

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the /nodered/flows endpoint when the Node-RED plugin is enabled. An attacker can gain administrative access and execute arbitrary code on the server by submitting a specially crafted flow configuration.

    How to fix Missing Authentication for Critical Function?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Insecure Default Initialization of Resource

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to the use of a hardcoded JWT secret in the default configuration. An attacker can gain administrative access and execute arbitrary code by forging authentication tokens and interacting with administrative APIs.

    How to fix Insecure Default Initialization of Resource?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Missing Authentication for Critical Function

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the upload API. An attacker can overwrite arbitrary files on the server filesystem by sending crafted requests, potentially leading to execution of malicious code if critical files such as application code, startup scripts, or configuration files are replaced. This can result in full system compromise, especially if overwritten files are executed or loaded by the application or operating system.

    How to fix Missing Authentication for Critical Function?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Improper Authentication

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Improper Authentication via the authentication process. An attacker can gain administrative access and execute arbitrary code by bypassing authentication mechanisms and interacting with administrative APIs.

    Note: This is only exploitable if runtime.settings.secureEnabled is set to true.

    How to fix Improper Authentication?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Missing Authorization

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authorization via the WebSocket. An attacker can overwrite arbitrary device tags or disable communication drivers by sending crafted WebSocket messages without authentication.

    Note: This is only exploitable if the deployment is configured with runtime.settings.secureEnabled set to true.

    How to fix Missing Authorization?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Cleartext Storage of Sensitive Information

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information via runtime.settings. An attacker can obtain sensitive administrative database credentials and full system configuration by sending unauthenticated remote requests. This enables reading, modifying, or deleting all historical process data, or corrupting the database to disrupt service.

    How to fix Cleartext Storage of Sensitive Information?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Command Injection

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Command Injection via the project files import proccess. An attacker can execute arbitrary system commands by uploading a crafted project file containing malicious scripts.

    How to fix Command Injection?

    A fix was pushed into the master branch but not yet published.

    *
    • C
    Use of Hard-coded Credentials

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the jwt-helper.js when verifying JWT tokens. An attacker can gain unauthorized administrative access by forging valid tokens using the hard-coded secret key.

    How to fix Use of Hard-coded Credentials?

    There is no fixed version for fuxa-server.

    *
    • C
    Missing Authentication for Critical Function

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the secureEnabled flag being commented out in the default configuration. An attacker can gain unauthorized access to sensitive API endpoints, modify projects, and control industrial equipment by sending unauthenticated requests immediately after installation.

    How to fix Missing Authentication for Critical Function?

    There is no fixed version for fuxa-server.

    *
    • C
    Missing Authentication for Critical Function

    fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /api/upload endpoint, which lacks authentication controls. An attacker can gain administrative access or execute arbitrary code by uploading malicious files or overwriting critical system files.

    How to fix Missing Authentication for Critical Function?

    There is no fixed version for fuxa-server.

    *
    Go back to all versions of this package