> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

<AccordionGroup>
  <Accordion title="express-sandbox-code-injection">
    Make sure that unverified user data can not reach `sandbox`.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-94: Improper Control of Generation of Code ('Code Injection')
    <br />**OWASP**: <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="x-frame-options-misconfiguration">
    By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-451: User Interface (UI) Misrepresentation of Critical Information
    <br />**OWASP**: <br />- A04:2021 - Insecure Design
  </Accordion>

  <Accordion title="require-request">
    If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-706: Use of Incorrectly-Resolved Name or Reference
    <br />**OWASP**: <br />- A01:2021 - Broken Access Control
  </Accordion>

  <Accordion title="express-data-exfiltration">
    Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
    <br />**OWASP**: <br />- A08:2021 - Software and Data Integrity Failures
  </Accordion>

  <Accordion title="express-expat-xxe">
    Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-611: Improper Restriction of XML External Entity Reference
    <br />**OWASP**: <br />- A04:2017 - XML External Entities (XXE)
    <br />- A05:2021 - Security Misconfiguration
  </Accordion>

  <Accordion title="express-wkhtmltoimage-injection">
    If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities<br />**Likelihood**: MEDIUM<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-918: Server-Side Request Forgery (SSRF)
    <br />**OWASP**: <br />- A10:2021 - Server-Side Request Forgery (SSRF)
  </Accordion>

  <Accordion title="express-wkhtmltopdf-injection">
    If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities<br />**Likelihood**: MEDIUM<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-918: Server-Side Request Forgery (SSRF)
    <br />**OWASP**: <br />- A10:2021 - Server-Side Request Forgery (SSRF)
  </Accordion>

  <Accordion title="express-puppeteer-injection">
    If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-918: Server-Side Request Forgery (SSRF)
    <br />**OWASP**: <br />- A10:2021 - Server-Side Request Forgery (SSRF)
  </Accordion>

  <Accordion title="cors-misconfiguration">
    By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-346: Origin Validation Error
    <br />**OWASP**: <br />- A07:2021 - Identification and Authentication Failures
  </Accordion>

  <Accordion title="express-xml2json-xxe">
    Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-611: Improper Restriction of XML External Entity Reference
    <br />**OWASP**: <br />- A04:2017 - XML External Entities (XXE)
    <br />- A05:2021 - Security Misconfiguration
  </Accordion>

  <Accordion title="express-vm-injection">
    Make sure that unverified user data can not reach `$VM`.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-94: Improper Control of Generation of Code ('Code Injection')
    <br />**OWASP**: <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="express-jwt-hardcoded-secret">
    A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).<br />**Likelihood**: HIGH<br />**Confidence**: HIGH<br />**CWE**: <br />- CWE-798: Use of Hard-coded Credentials
    <br />**OWASP**: <br />- A07:2021 - Identification and Authentication Failures
  </Accordion>

  <Accordion title="express-phantom-injection">
    If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-918: Server-Side Request Forgery (SSRF)
    <br />**OWASP**: <br />- A10:2021 - Server-Side Request Forgery (SSRF)
  </Accordion>

  <Accordion title="express-insecure-template-usage">
    User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
    <br />**OWASP**: <br />- A03:2021 - Injection
    <br />- A01:2017 - Injection
  </Accordion>

  <Accordion title="express-vm2-injection">
    Make sure that unverified user data can not reach `vm2`.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-94: Improper Control of Generation of Code ('Code Injection')
    <br />**OWASP**: <br />- A03:2021 - Injection
  </Accordion>
</AccordionGroup>