Announcement

**svancha** · 3 Nov 2022, 08:20

Could you please help us guide how to resolve them.

**Isomorphic** · 3 Nov 2022, 10:18

There is nothing to resolve here.

You are running a security scanner product, and such tools produce bogus "vulnerabilities" all the time. Here, it is flagging various code that is doing exactly what it is meant to do, because it is only accessible in a certain, safe way, and/or used for a limited purpose.

If you discover any actual vulnerabilities, please do report them, explaining specifically how they can be exploited in a correct installation that follows our documentation. This has only happened once in our 20+ year history, and it was a minor exploit and immediately resolved, but of course we take this very seriously.

CWE-ID & Name	Module	Source
73 (External Control of File Name or Path)	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/util/AtomicFileWriter.java: 48
918 (Server-Side Request Forgery (SSRF))	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/util/ISCHttpClient.java: 105
93 (Improper Neutralization of CRLF Sequences ('CRLF Injection'))	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/mail/MailMessage.java: 516
501 (Trust Boundary Violation)	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/velocity/SessionAttributeMapFacade.java: 120
117 (Improper Output Neutralization for Logs)	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/log/Slf4jLogger.java: 104
113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'))	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/servlet/ServletTools.java: 663
80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))	isomorphic-core-rpc-12.1-p20221022.jar	com/isomorphic/servlet/ScreenLoaderServlet.java: 180

Announcement

Medium Vulnerabilities found by Veracode in 12.1p_2022-10-22

Comment

Comment