jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80d80c099ff7b5eab470edcb3c8fa6012bf77a08
cve-dashboard/frontend
History
jramos 8a6a3485e9 security: address audit findings C-4 through M-8 
Critical:
- C-4: Add express-rate-limit to login (20 attempts/15min)
- C-5: Remove default credentials from LoginForm.js
- C-6: Add sandbox attribute to KB document iframe

High:
- H-2: Hard-fail on startup if SESSION_SECRET env var is missing
- H-6: Sanitize filenames in Content-Disposition headers
- H-7: Fix KB upload race condition — move file after DB insert succeeds
- H-8: Generate random admin password in setup.js instead of hardcoded
- H-9: Add rehype-sanitize to ReactMarkdown (requires npm install)

Medium:
- M-4: Fix loose equality (==) to strict (===) in users.js self-checks
- M-5: Add hostname format regex validation in compliance notes
- M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js
- M-7: Sanitize original filename in compliance temp JSON
- M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var

New dependencies needed:
- backend: express-rate-limit (npm install in root)
- frontend: rehype-sanitize (npm install in frontend/)
2026-04-07 10:23:10 -06:00
..
public
Transform CVE Dashboard to tactical intelligence platform aesthetic
2026-02-10 09:34:22 -07:00
src
security: address audit findings C-4 through M-8
2026-04-07 10:23:10 -06:00
.env.example
Added .env configuration to remove hardcoded IP issues
2026-01-28 09:23:30 -07:00
.gitignore
fix: Add frontend files (not as submodule)
2026-01-27 04:08:35 +00:00
cve_database.db
Added tweaks to allow edits/deletes of cve and vendors or to fix typos
2026-02-02 11:33:44 -07:00
package.json
security: address audit findings C-4 through M-8
2026-04-07 10:23:10 -06:00