Some CWE vulnerabilities were found, as follows:
CWE-295 (Disabling Certificate Validation): rejectUnauthorized: false is configured in multiple core files, which skips the legality verification of HTTPS server certificates. It is vulnerable to man-in-the-middle attacks, leading to the interception and tampering of sensitive information during data transmission, and threatening the project's network communication security.
CWE-22 (Uncontrolled Data Used in Path Expression): Multiple file processing modules directly splice file paths with user-controlled data without effective security filtering. Malicious paths can be constructed to access any sensitive files on the server, resulting in information leakage or even server control.
CWE-352 (Missing CSRF Middleware): The server lacks global CSRF protection middleware, and all API interfaces relying on Cookie authentication have no CSRF verification. Malicious websites can impersonate legitimate users to perform sensitive operations, leading to data tampering and permission abuse.
Some CWE vulnerabilities were found, as follows:
CWE-295 (Disabling Certificate Validation): rejectUnauthorized: false is configured in multiple core files, which skips the legality verification of HTTPS server certificates. It is vulnerable to man-in-the-middle attacks, leading to the interception and tampering of sensitive information during data transmission, and threatening the project's network communication security.
CWE-22 (Uncontrolled Data Used in Path Expression): Multiple file processing modules directly splice file paths with user-controlled data without effective security filtering. Malicious paths can be constructed to access any sensitive files on the server, resulting in information leakage or even server control.
CWE-352 (Missing CSRF Middleware): The server lacks global CSRF protection middleware, and all API interfaces relying on Cookie authentication have no CSRF verification. Malicious websites can impersonate legitimate users to perform sensitive operations, leading to data tampering and permission abuse.