stene.xyz security info



stene.xyz 3.0

total known vulnerabilities: 12
fixed: 10 | won't fix: 2

Oct 11, 2024: Cross-Site Request Forgery - high severity - not exploited - fix
A CSRF vulnerability existed, potentially allowing for account hijacking.

Oct 11, 2024: DoS due to Missing Rate Limits - medium severity - not exploited - fix
Rate limits were not in place. This allowed for a DoS by repeatedly calling endpoints that run multiple FS accesses

Oct 11, 2024: 7x Unsanitized input into path expression - high severity - not exploited - fix
Unsanitized values were passed to several fields in paths, allowing for users to potentially read/write arbitrary files on disk.

Oct 11, 2024: Clear-Text Transmission of Sensitive Cookie - medium severity - won't fix
Session cookies can be intercepted by an attacker when sent over HTTP.
Won't fix as it only affects test environment (prod traffic routed through HTTPS)

Oct 11, 2024: Client-Side URL Redirect - low severity - won't fix
Vulnerability exists in Nic Cage Eats Stuff game. Won't fix as this doesn't compromise anything important.

Oct 11, 2024: Vulnerable dependency - low severity - not exploited - fix
The "cookie" package in Node.JS had a vulnerability allowing for arbitrary data in a cookie to be set.