Update index.php#58
Open
hugbubby wants to merge 3 commits into
Open
ZeroPath AI Dev / ZeroPath Security Scan
failed
Mar 23, 2026 in 1m 21s
Scan completed
Blocking issue(s) found.
Details
❌ 2 possible security or compliance issues detected. Reviewed everything up to 6b1628e.
The following issues were found:
-
Issue 1: Cross Site Scripting (XSS)
- Location: index.php:435-436
- Score: CRITICAL (90.0)
- Description: Directly echoes user-controlled GET parameter without any validation or escaping: echo $_GET['asdf'];. This creates a reflected Cross-Site Scripting (XSS) vulnerability because an attacker can craft a URL with JavaScript in the 'asdf' parameter which will be reflected into the page and executed in victims' browsers.
- Link to UI: https://dev.branch.zeropath.com/app/issues/c8d7c93c-4ba5-4856-bc5c-b42c2e5a472c (Issue 1, id: c8d7c93c-4ba5-4856-bc5c-b42c2e5a472c)
-
Issue 2: Cross Site Scripting (XSS)
- Location: tags.php:16-17
- Score: HIGH (81.0)
- Description: Reflected Cross-Site Scripting (XSS): the new code directly echoes an HTTP GET parameter ($_GET['asdf']) into the HTTP response without any validation or encoding. An attacker can craft a URL such as /tags.php?asdf=<script>alert(1)</script> to execute arbitrary JavaScript in victims' browsers, leading to session theft, CSRF escalation, or other client-side attacks. The echo is also placed before the access check (check_status), which may expose the output to unauthenticated users.
- Link to UI: https://dev.branch.zeropath.com/app/issues/e5c32dcc-66ec-40f2-bf71-b6687eecac79 (Issue 2, id: e5c32dcc-66ec-40f2-bf71-b6687eecac79)
Security Overview
- 🔎 Scanned files: 1 changed file(s)
- 🔗 Scan Link: https://dev.branch.zeropath.com/app/repositories/d9cf8881-7d91-495e-919b-1821f32afbca?scanId=3c047318-0e11-4d03-8093-8cab28607630&codeScanTypes=PrScan&tab=issues
Detected Code Changes
| Change Type | Relevant files |
|---|---|
| Enhancement | ► index.php Echo GET parameter 'test' Echo GET parameter 'asdf' |
Loading