acme-storefront

An AWS secret access key was found in plain text. This grants programmatic access to AWS services and could lead to full cloud account compromise.

src/config/aws.ts:14

User input is concatenated directly into a SQL query string without parameterization, allowing an attacker to execute arbitrary SQL.

src/api/users.ts:87

The /api/admin/users endpoint does not verify authentication tokens, allowing unauthenticated access to user management functions.

src/api/admin/users.ts:5

The AI suggested installing 'loda-sh', which is a known hallucinated package name. This could be registered by an attacker to execute malicious code (Supply Chain Attack).

package.json:12

User-generated content is rendered using dangerouslySetInnerHTML without sanitization.

src/components/CommentSection.tsx:42

The application does not set a Content-Security-Policy header, making it vulnerable to XSS and data injection attacks.

Row Level Security is not enabled on the orders table, meaning any authenticated user can read/modify all orders.

The order detail endpoint uses the order ID from URL params without verifying ownership.

src/api/orders/[id].ts:12

The login API does not implement rate limiting, making it vulnerable to brute-force credential attacks.

src/api/auth/login.ts:1

lodash 4.17.19 has a known prototype pollution vulnerability (CVE-2021-23337).

package.json

Authentication tokens are stored in localStorage which is accessible via XSS. Consider using httpOnly cookies.

src/lib/auth.ts:23

The application doesn't set X-Frame-Options, potentially allowing clickjacking attacks.

Unhandled errors return full stack traces to the client, potentially revealing internal paths and dependencies.

src/api/middleware/errorHandler.ts:8

Access-Control-Allow-Origin is set to '*', which may not be appropriate for authenticated APIs.

src/api/server.ts:15

Multiple console.log statements found that could leak sensitive data to browser developer tools.

src/api/payments.ts:34