VibeSense

VibeSense Security Audit

Reporte de Auditoría de Seguridad · v2.0

Proyecto: SISTWEB_DiscoveryBuilders

Fecha: 5/3/2026, 12:26:24 p.m.

Motor: Semgrep + Gitleaks + Claude AI

10 / 100

🚨 Crítico

Grade: F

30087 hallazgos totales en 87 archivos · 29 tipos de vulnerabilidades

🧪 PENTEST
VULNERABILIDADES CRÍTICAS
2370
🔴 Críticos
26979
🟡 Advertencias
557
🔵 Informativos
181
🔑 Secretos
87
📁 Archivos
29
⚡ Tipos

📊 OWASP Top 10 — Categorías Afectadas

📈 Historial de Score — SISTWEB_DiscoveryBuilders

🛡️ Análisis por Categoría OWASP Top 10:2021
A07:2021-Identification-Auth-Failures 14072

A07:2021-Identification-Auth-Failures

A03:2021-Injection 10216

A03:2021-Injection

A01:2021-Broken-Access-Control 2311

A01:2021-Broken-Access-Control

A05:2021-Security-Misconfiguration 1795

A05:2021-Security-Misconfiguration

A07:2021-XSS 1351

A07:2021-XSS

A02:2021 181

Cryptographic Failures

A01:2021 92

Broken Access Control

A02:2021-Cryptographic Failures 28

A02:2021-Cryptographic Failures

A04:2021 17

Insecure Design

A09:2021-Security-Logging 11

A09:2021-Security-Logging

A07:2021 8

Identification & Auth Failures

A02:2021-Cryptographic-Failures 5

A02:2021-Cryptographic-Failures

🔍 Hallazgos de Seguridad
Severidad Cantidad Vulnerabilidad · Detalle · Mitigación
🟡 WARNING
MEDIUM 		14047 A07:2021-Identification-Auth-Failures CWE-208
Comparación de secretos con === — vulnerable a Timing Attack, usar crypto.timingSafeEqual
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/app.js : L23
  • /src/PREV/Template_html/src/assets/js/app.js : L66
  • /src/PREV/Template_html/src/assets/js/app.js : L66
  • /src/PREV/Template_html/src/assets/js/app.js : L311
  • /src/PREV/Template_html/src/assets/js/app.js : L323
  • /src/PREV/Template_html/src/assets/js/app.js : L763
  • /src/PREV/Template_html/src/assets/js/app.js : L768
  • /src/PREV/Template_html/src/assets/js/app.js : L786
  • /src/PREV/Template_html/src/assets/js/app.js : L1152
  • /src/PREV/Template_html/src/assets/js/app.js : L1160
🛠 Mitigación recomendada — Timing Attack en comparación de secretos

⚠️ Riesgo: La comparación con === tiene tiempo variable según el punto de fallo, permitiendo a un atacante adivinar tokens o hashes bit a bit mediante análisis de tiempo de respuesta.

Pasos de remediación:

  1. Usar crypto.timingSafeEqual() para comparar tokens y hashes.
  2. Convertir ambos strings a Buffer antes de comparar.
  3. Nunca comparar tokens JWT o API keys con === o ==.
  4. Para contraseñas, usar bcrypt.compare() que ya es timing-safe.

Ejemplo de código:

const crypto = require('crypto');
const expected = Buffer.from(process.env.API_TOKEN);
const received = Buffer.from(req.headers['x-api-key'] || '');
if (expected.length !== received.length || !crypto.timingSafeEqual(expected, received)) {
  return res.status(401).json({ error: 'Unauthorized' });
}

🎯 Vector de Pentest: Timing Attack, Token Brute Force
🟡 WARNING 466 A03:2021-Injection CWE-95
setTimeout/setInterval con string en lugar de función — eval implícito
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/app.js : L1122
  • /src/PREV/Template_html/src/assets/js/app.js : L1704
  • /src/PREV/Template_html/src/assets/js/app.js : L1712
  • /src/PREV/Template_html/src/assets/js/app.js : L1797
  • /src/PREV/Template_html/src/assets/js/app.js : L2015
  • /src/PREV/Template_html/src/assets/js/pages/api-key.init.js : L206
  • /src/PREV/Template_html/src/assets/js/pages/api-key.init.js : L223
  • /src/PREV/Template_html/src/assets/js/pages/apps-nft-auction.init.js : L68
  • /src/PREV/Template_html/src/assets/js/pages/apps-nft-auction.init.js : L72
  • /src/PREV/Template_html/src/assets/js/pages/apps-nft-auction.init.js : L76
🟡 WARNING 7438 A03:2021-Injection CWE-1321
Asignación con propiedad dinámica puede contaminar __proto__
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/app.js : L1872
  • /src/PREV/Template_html/src/assets/js/app.js : L1884
  • /src/PREV/Template_html/src/assets/js/app.js : L1885
  • /src/PREV/Template_html/src/assets/js/app.js : L1886
  • /src/PREV/Template_html/src/assets/js/app.js : L1887
  • /src/PREV/Template_html/src/assets/js/app.js : L1888
  • /src/PREV/Template_html/src/assets/js/app.js : L1889
  • /src/PREV/Template_html/src/assets/js/app.js : L1890
  • /src/PREV/Template_html/src/assets/js/app.js : L1891
  • /src/PREV/Template_html/src/assets/js/app.js : L1892
🟡 WARNING
HIGH 		1510 A01:2021-Broken-Access-Control CWE-285
API Gateway sin whitelist de rutas — todas las acciones expuestas por defecto
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-line.init.js : L822
  • /src/PREV/assets/js/pages/apexcharts-line.init.js : L822
  • /src/PREV/assets/libs/gmaps/lib/gmaps.geometry.js : L16
  • /src/PREV/assets/libs/gmaps/lib/gmaps.routes.js : L71
  • /src/PREV/assets/libs/gmaps/lib/gmaps.routes.js : L100
  • /src/PREV/assets/libs/gmaps/lib/gmaps.routes.js : L159
  • /src/PREV/assets/libs/gmaps/lib/gmaps.routes.js : L248
  • /src/PREV/assets/libs/gmaps/lib/gmaps.routes.js : L277
  • /src/PREV/assets/libs/gmaps/lib/gmaps.routes.js : L306
  • /src/PREV/assets/libs/jsvectormap/maps/canada.js : L1
🛠 Mitigación recomendada — API Gateway Moleculer sin whitelist de rutas

⚠️ Riesgo: Sin whitelist, el gateway expone automáticamente todas las acciones de todos los servicios registrados, incluyendo acciones internas o de administración.

Pasos de remediación:

  1. Definir whitelist explícita con las rutas permitidas.
  2. Usar aliases para mapear rutas HTTP a acciones específicas.
  3. Marcar acciones internas con visibility: 'protected' o 'private'.
  4. Revisar periódicamente qué acciones están expuestas en el gateway.
  5. Implementar el hook authorize() para verificar permisos por ruta.

Ejemplo de código:

// Correcto
{
  path: '/api',
  whitelist: [
    'users.login',
    'users.register',
    'products.list'
  ],
  aliases: {
    'POST /login': 'users.login',
    'GET /products': 'products.list'
  }
}

🎯 Vector de Pentest: Unauthorized API Access, Internal Action Exposure
🟡 WARNING 274 A01:2021-Broken-Access-Control CWE-601
window.location con datos sin validar — posible Open Redirect
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/pages/invoicecreate.init.js : L556
  • /src/PREV/alta_field_supervisor/index.js : L186
  • /src/PREV/assets/js/pages/invoicecreate.init.js : L556
  • /src/PREV/assets/libs/toastify-js/src/toastify-es.js : L312
  • /src/PREV/assets/libs/toastify-js/src/toastify.js : L234
  • /src/PREV/login.js : L167
  • /src/PREV/login.js : L169
  • /src/Template_html/src/assets/js/pages/invoicecreate.init.js : L556
  • /src/alta_field_supervisor/index.js : L186
  • /src/alta_field_supervisor/main.js : L186
🟡 WARNING
HIGH 		1323 A07:2021-XSS
Salida directa sin sanitización (posible XSS)
📁 10 archivos afectados
  • /src/PREV/alta_field_supervisor/index.php : L4
  • /src/PREV/alta_field_supervisor/index.php : L6
  • /src/PREV/alta_field_supervisor/index.php : L6
  • /src/PREV/alta_field_supervisor/index.php : L94
  • /src/PREV/alta_field_supervisor/index.php : L94
  • /src/PREV/alta_field_supervisor/index.php : L153
  • /src/PREV/alta_field_supervisor/index.php : L153
  • /src/PREV/alta_field_supervisor/index.php : L155
  • /src/PREV/alta_field_supervisor/index.php : L155
  • /src/PREV/alta_field_supervisor/index.php : L155
🛠 Mitigación recomendada — Salida directa sin sanitización (XSS)

⚠️ Riesgo: Imprimir datos sin sanitizar permite ataques Cross-Site Scripting que pueden robar sesiones o ejecutar código malicioso.

Pasos de remediación:

  1. Usar htmlspecialchars() con ENT_QUOTES y charset UTF-8.
  2. Usar htmlentities() como alternativa más completa.
  3. Implementar una Content Security Policy (CSP) en el servidor.
  4. Considerar usar un template engine que escape automáticamente (Twig).
  5. Nunca imprimir directamente datos de $_GET, $_POST, $_COOKIE.

Ejemplo de código:

echo htmlspecialchars($var, ENT_QUOTES, 'UTF-8');

🎯 Vector de Pentest: Reflected XSS, Stored XSS, Cookie Theft
🟡 WARNING 1498 A05:2021-Security-Misconfiguration CWE-1333
RegExp construido con input del usuario — posible ReDoS
📁 10 archivos afectados
  • /src/PREV/assets/libs/choices.js/src/scripts/choices.ts : L210
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ac.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ac.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ac.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ad.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ad.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ad.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ae.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ae.js : L35
  • /src/PREV/assets/libs/cleave.js/addons/cleave-phone.ae.js : L35
🟡 WARNING 4 A03:2021-Injection CWE-1321
Object.assign con datos externos puede contaminar el prototipo
📁 4 archivos afectados
  • /src/PREV/assets/libs/swiper/components-shared/get-params.js : L16
  • /src/PREV/assets/libs/swiper/modules/thumbs/thumbs.js : L60
  • /src/assets/libs/swiper/components-shared/get-params.js : L16
  • /src/assets/libs/swiper/modules/thumbs/thumbs.js : L60
🟡 WARNING 5 A02:2021-Cryptographic-Failures CWE-338
mt_rand()/rand() no son criptográficamente seguros — no usar para tokens
📁 5 archivos afectados
  • /src/PREV/discoveryWS/includes/PHPMailer.php : L2494
  • /src/PREV/discoveryWS/includes/phpqrcode/bindings/tcpdf/qrcode.php : L1241
  • /src/PREV/discoveryWS/includes/phpqrcode/qrmask.php : L297
  • /src/discoveryWS/includes/phpqrcode/bindings/tcpdf/qrcode.php : L1241
  • /src/discoveryWS/includes/phpqrcode/qrmask.php : L297
🟡 WARNING 25 A07:2021-Identification-Auth-Failures CWE-384
session_start() sin session_regenerate_id() en login — posible Session Fixation
📁 10 archivos afectados
  • /src/PREV/discoveryWS/index.php : L2
  • /src/discoveryWS/cambiar_contrasena.php : L2
  • /src/discoveryWS/index.php : L2
  • /src/discoveryWS/index_18jun.php : L2
  • /src/discoveryWS/index__.php : L2
  • /src/discoveryWS/verificar_codigo.php : L2
  • /src/nueva_contrasena.php : L2
  • /src/primer_login.php : L2
  • /src/server/index.php : L842
  • /src/server/index.php : L965
🟡 WARNING 92 A01:2021
Ruta Slim sin middleware de autenticación detectada
📁 10 archivos afectados
  • /src/PREV/discoveryWS/index.php : L125
  • /src/PREV/discoveryWS/index.php : L213
  • /src/discoveryWS/index.php : L82
  • /src/discoveryWS/index.php : L219
  • /src/discoveryWS/index_18jun.php : L82
  • /src/discoveryWS/index_18jun.php : L170
  • /src/discoveryWS/index__.php : L82
  • /src/server/index.php : L37
  • /src/server/index.php : L143
  • /src/server/index.php : L241
🟡 WARNING 3 A07:2021
Algoritmo JWT potencialmente inseguro o no validado
📁 3 archivos afectados
  • /src/PREV/discoveryWS/middlewares/validateToken.php : L25
  • /src/discoveryWS/middlewares/validateToken.php : L25
  • /src/discoveryWS/validateToken.php : L25
🟡 WARNING 277 A01:2021-Broken-Access-Control CWE-352
Formulario POST sin verificación de token CSRF
📁 10 archivos afectados
  • /src/discoveryWS/index.php : L224
  • /src/discoveryWS/index.php : L225
  • /src/discoveryWS/index.php : L238
  • /src/discoveryWS/index.php : L239
  • /src/discoveryWS/index.php : L240
  • /src/discoveryWS/index_18jun.php : L176
  • /src/server/index.php : L5147
  • /src/server/index.php : L5147
  • /src/server/index.php : L5149
  • /src/server/index.php : L5149
🟡 WARNING 17 A04:2021
Input obtenido desde Slim Request sin validación explícita
📁 10 archivos afectados
  • /src/server/index.php : L856
  • /src/server/index.php : L979
  • /src/server/index.php : L1852
  • /src/server/index.php : L1998
  • /src/server/index.php : L2141
  • /src/server/index.php : L2750
  • /src/server/index.php : L2914
  • /src/server/index.php : L3381
  • /src/server/index.php : L3606
  • /src/server/index.php : L3840
🔵 INFO 288 A05:2021-Security-Misconfiguration CWE-755
JSON.parse sin try/catch puede crashear la aplicación con input malformado
📁 10 archivos afectados
  • /src/PREV/Template_html/gulpfile.js : L20
  • /src/PREV/Template_html/src/assets/js/app.js : L67
  • /src/PREV/Template_html/src/assets/js/app.js : L368
  • /src/PREV/Template_html/src/assets/js/app.js : L856
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-area.init.js : L13
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-bar.init.js : L13
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-boxplot.init.js : L13
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-bubble.init.js : L14
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-candlestick.init.js : L14
  • /src/PREV/Template_html/src/assets/js/pages/apexcharts-column.init.js : L14
🔵 INFO 250 A01:2021-Broken-Access-Control CWE-285
fetch() a API interna sin header de Authorization — petición no autenticada
📁 10 archivos afectados
  • /src/PREV/alta_field_supervisor/index.js : L167
  • /src/PREV/cat_field_supervisor/index.js : L129
  • /src/PREV/cat_field_supervisor/index.js : L211
  • /src/PREV/login.js : L74
  • /src/PREV/login.js : L84
  • /src/alta_field_supervisor/index.js : L167
  • /src/alta_field_supervisor/main.js : L167
  • /src/background_login/main.js : L96
  • /src/cat_field_supervisor/index.js : L129
  • /src/cat_field_supervisor/index.js : L211
🔵 INFO 8 A05:2021-Security-Misconfiguration CWE-200
var_dump()/print_r() — posible exposición de datos en producción
📁 8 archivos afectados
  • /src/PREV/discoveryWS/includes/class.pop3.php : L383
  • /src/PREV/discoveryWS/index.php : L74
  • /src/PREV/discoveryWS/index.php : L146
  • /src/PREV/discoveryWS/index.php : L151
  • /src/discoveryWS/includes/class.pop3.php : L383
  • /src/discoveryWS/index.php : L72
  • /src/discoveryWS/index_18jun.php : L72
  • /src/discoveryWS/index__.php : L72
🔵 INFO 11 A09:2021-Security-Logging CWE-312
console.log de estado de Redux/Zustand con posibles datos sensibles
📁 10 archivos afectados
  • /src/constructions/scripts/alta.js : L22
  • /src/constructions/scripts/main.js : L41
  • /src/frente/main.js : L14
  • /src/reporte_construction_progress/main_v1.js : L422
  • /src/reporte_construction_progress/main_v1_old.js : L422
  • /src/reporte_construction_progress_old/main_v1.js : L978
  • /src/reporte_construction_progress_old/main_v1_new.js : L415
  • /src/reporte_construction_progress_old/main_v1_new.js : L698
  • /src/reports_semanal/scripts/main.js : L449
  • /src/reports_semanal_dev/scripts/main.js : L439
🔴 ERROR
HIGH 		1760 A03:2021-Injection CWE-79
innerHTML/outerHTML con datos sin sanitizar — DOM XSS
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/app.js : L372
  • /src/PREV/Template_html/src/assets/js/app.js : L375
  • /src/PREV/Template_html/src/assets/js/app.js : L420
  • /src/PREV/Template_html/src/assets/js/app.js : L609
  • /src/PREV/Template_html/src/assets/js/app.js : L611
  • /src/PREV/Template_html/src/assets/js/app.js : L984
  • /src/PREV/Template_html/src/assets/js/app.js : L996
  • /src/PREV/Template_html/src/assets/js/app.js : L1011
  • /src/PREV/Template_html/src/assets/js/app.js : L1031
  • /src/PREV/Template_html/src/assets/js/app.js : L1057
🛠 Mitigación recomendada — innerHTML con datos sin sanitizar — DOM XSS

⚠️ Riesgo: Asignar contenido sin sanitizar a innerHTML permite DOM-based XSS que ejecuta en el contexto del usuario, pudiendo robar cookies, tokens o realizar acciones en su nombre.

Pasos de remediación:

  1. Usar textContent en lugar de innerHTML para texto plano.
  2. Si se necesita HTML, sanitizar con DOMPurify antes de asignar.
  3. Crear elementos DOM con createElement() y appendChild() en lugar de innerHTML.
  4. Implementar una Content Security Policy (CSP) como defensa en profundidad.

Ejemplo de código:

// Correcto — texto plano
element.textContent = userInput;

// Correcto — HTML sanitizado
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

// Incorrecto
element.innerHTML = userInput;

🎯 Vector de Pentest: DOM XSS, Cookie Theft, Session Hijacking
🔴 ERROR 60 A03:2021-Injection CWE-79
insertAdjacentHTML con datos sin sanitizar — DOM XSS
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/app.js : L1162
  • /src/PREV/Template_html/src/assets/js/pages/card.init.js : L17
  • /src/PREV/Template_html/src/assets/js/pages/card.init.js : L36
  • /src/PREV/Template_html/src/assets/js/pages/card.init.js : L56
  • /src/PREV/Template_html/src/assets/js/pages/chat.init.js : L732
  • /src/PREV/Template_html/src/assets/js/pages/chat.init.js : L831
  • /src/PREV/Template_html/src/assets/js/pages/file-manager.init.js : L270
  • /src/PREV/Template_html/src/assets/js/pages/job-grid-list.init.js : L54
  • /src/PREV/Template_html/src/assets/js/pages/tasks-kanban.init.js : L124
  • /src/PREV/Template_html/src/assets/js/pages/tasks-kanban.init.js : L166
🔴 ERROR 12 A03:2021-Injection CWE-79
document.write() con datos dinámicos — DOM XSS
📁 10 archivos afectados
  • /src/PREV/Template_html/src/assets/js/plugins.js : L12
  • /src/PREV/Template_html/src/assets/js/plugins.js : L13
  • /src/PREV/Template_html/src/assets/js/plugins.js : L14
  • /src/PREV/assets/js/plugins.js : L12
  • /src/PREV/assets/js/plugins.js : L13
  • /src/PREV/assets/js/plugins.js : L14
  • /src/Template_html/src/assets/js/plugins.js : L12
  • /src/Template_html/src/assets/js/plugins.js : L13
  • /src/Template_html/src/assets/js/plugins.js : L14
  • /src/assets/js/plugins.js : L12
🔴 ERROR
CRITICAL 		195 A03:2021-Injection CWE-98
include/require con variable dinámica — posible LFI/RFI
📁 10 archivos afectados
  • /src/PREV/alta_field_supervisor/index.php : L2
  • /src/PREV/alta_field_supervisor/index.php : L3
  • /src/PREV/alta_field_supervisor/index.php : L159
  • /src/PREV/cat_field_supervisor/index.php : L3
  • /src/PREV/cat_field_supervisor/index.php : L152
  • /src/PREV/discoveryWS/clsAuthentication.php : L5
  • /src/PREV/discoveryWS/includes/PHPMailer.php : L2086
  • /src/PREV/discoveryWS/includes/class.phpmailer.php : L702
  • /src/PREV/discoveryWS/includes/class.phpmailer.php : L874
  • /src/PREV/discoveryWS/includes/fpdf.php : L1141
🛠 Mitigación recomendada — include/require dinámico — LFI/RFI

⚠️ Riesgo: Local File Inclusion permite leer archivos del servidor (/etc/passwd, logs) o ejecutar código. Remote File Inclusion permite cargar y ejecutar código desde un servidor remoto.

Pasos de remediación:

  1. Usar un mapa de archivos permitidos (whitelist) en lugar de paths dinámicos.
  2. Validar el valor contra una lista fija de opciones permitidas.
  3. Nunca incluir rutas que vengan de $_GET, $_POST, o $_COOKIE.
  4. Deshabilitar allow_url_include en php.ini.
  5. Usar basename() o realpath() y verificar que el resultado esté dentro del directorio permitido.

Ejemplo de código:

$allowed = ['home' => 'home.php', 'about' => 'about.php'];
$page = $allowed[$_GET['page']] ?? 'home.php';
include 'pages/' . $page;

🎯 Vector de Pentest: Local File Inclusion (LFI), Remote File Inclusion (RFI)
🔴 ERROR 4 A03:2021-Injection CWE-95
new Function() equivale a eval() — posible inyección de código
📁 4 archivos afectados
  • /src/PREV/assets/libs/card/card.js : L1
  • /src/PREV/assets/libs/card/jquery.card.js : L1
  • /src/assets/libs/card/card.js : L1
  • /src/assets/libs/card/jquery.card.js : L1
🔴 ERROR
HIGH 		5 A07:2021
JWT generado sin claim 'exp'
📁 5 archivos afectados
  • /src/PREV/discoveryWS/clsAuthentication.php : L25
  • /src/PREV/discoveryWS/middlewares/validateToken.php : L25
  • /src/discoveryWS/clsAuthentication.php : L25
  • /src/discoveryWS/middlewares/validateToken.php : L25
  • /src/discoveryWS/validateToken.php : L25
🛠 Mitigación recomendada — JWT sin expiración en PHP

⚠️ Riesgo: Tokens sin expiración permiten accesos indefinidos. Si un token es comprometido, permanece válido para siempre.

Pasos de remediación:

  1. Agregar el claim 'exp' al payload del JWT.
  2. Definir una expiración corta (3600 = 1 hora).
  3. Validar la expiración explícitamente al verificar el token.
  4. Usar el claim 'iat' (issued at) para rastrear la emisión.
  5. Implementar revocación de tokens en base de datos o cache.

Ejemplo de código:

$payload = ['sub' => $userId, 'exp' => time() + 3600, 'iat' => time()];
$token = JWT::encode($payload, $secretKey, 'HS256');

🎯 Vector de Pentest: Token Replay, Session Persistence After Logout
🔴 ERROR 10 A02:2021-Cryptographic Failures
JWT::decode usado sin validación explícita de algoritmo
📁 10 archivos afectados
  • /src/PREV/discoveryWS/clsAuthentication.php : L50
  • /src/PREV/discoveryWS/clsAuthentication.php : L70
  • /src/PREV/discoveryWS/middlewares/validateToken.php : L32
  • /src/PREV/discoveryWS/middlewares/validateToken.php : L45
  • /src/discoveryWS/clsAuthentication.php : L50
  • /src/discoveryWS/clsAuthentication.php : L70
  • /src/discoveryWS/middlewares/validateToken.php : L32
  • /src/discoveryWS/middlewares/validateToken.php : L45
  • /src/discoveryWS/validateToken.php : L32
  • /src/discoveryWS/validateToken.php : L45
🔴 ERROR
CRITICAL 		18 A02:2021-Cryptographic Failures
Uso de hash inseguro (md5/sha1)
📁 10 archivos afectados
  • /src/PREV/discoveryWS/includes/SMTP.php : L572
  • /src/PREV/discoveryWS/includes/SMTP.php : L580
  • /src/PREV/discoveryWS/includes/SMTP.php : L580
  • /src/PREV/discoveryWS/includes/class.phpmailer.php : L1077
  • /src/PREV/discoveryWS/includes/class.phpmailer.php : L2011
  • /src/PREV/discoveryWS/includes/class.phpmailer.php : L2016
  • /src/PREV/discoveryWS/includes/class.phpmailer.php : L2289
  • /src/PREV/discoveryWS/includes/phpqrcode/index.php : L60
  • /src/discoveryWS/includes/SMTP.php : L572
  • /src/discoveryWS/includes/SMTP.php : L580
🛠 Mitigación recomendada — Hash débil de contraseña (MD5/SHA1)

⚠️ Riesgo: MD5 y SHA1 son algoritmos rotos para passwords. Pueden ser revertidos con rainbow tables o fuerza bruta en segundos.

Pasos de remediación:

  1. Usar password_hash() con PASSWORD_BCRYPT o PASSWORD_ARGON2ID.
  2. Usar password_verify() para comparación segura.
  3. Migrar hashes existentes en el próximo login del usuario.
  4. Usar un work factor adecuado (cost >= 12 para bcrypt).

Ejemplo de código:

$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
$valid = password_verify($input, $hash);

🎯 Vector de Pentest: Password Cracking, Credential Stuffing, Rainbow Table Attack
🔴 ERROR 28 A07:2021-XSS
Datos del request enviados en la respuesta sin sanitización
📁 10 archivos afectados
  • /src/PREV/discoveryWS/index.php : L66
  • /src/PREV/discoveryWS/index.php : L120
  • /src/PREV/discoveryWS/index.php : L161
  • /src/PREV/discoveryWS/index.php : L170
  • /src/PREV/discoveryWS/index.php : L208
  • /src/PREV/discoveryWS/index.php : L342
  • /src/PREV/discoveryWS/middlewares/beforeMiddleware.php : L31
  • /src/PREV/discoveryWS/middlewares/beforeMiddleware.php : L46
  • /src/PREV/discoveryWS/middlewares/beforeMiddleware.php : L52
  • /src/discoveryWS/index.php : L64
🔴 ERROR 277 A03:2021-Injection
Uso de input sin validación previa
📁 10 archivos afectados
  • /src/discoveryWS/index.php : L224
  • /src/discoveryWS/index.php : L225
  • /src/discoveryWS/index.php : L238
  • /src/discoveryWS/index.php : L239
  • /src/discoveryWS/index.php : L240
  • /src/discoveryWS/index_18jun.php : L176
  • /src/server/index.php : L5147
  • /src/server/index.php : L5147
  • /src/server/index.php : L5149
  • /src/server/index.php : L5149
🔴 ERROR 1 A05:2021-Security-Misconfiguration CWE-200
phpinfo() expone configuración completa del servidor
📁 1 archivo afectado
  • /src/info.php : L1
🔑 Secretos y Credenciales Expuestas (Gitleaks)
⚠️ Acción requerida: Se encontraron 181 secreto(s) expuesto(s). Rotar inmediatamente todas las credenciales detectadas.
Severidad Tipo Archivo : Línea Descripción Preview
HIGH generic-api-key pruebaaWs.php : L3 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. DQCcwV***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/libs/quill/quill.min.js : L7 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. e.defa***
HIGH gcp-api-key PREV/Template_html/dist/minimal/maps-google.html : L2651 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L12 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L25 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L57 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L113 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L162 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH gcp-api-key PREV/Template_html/src/html/corporate/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/creative/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/default/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/galaxy/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/interactive/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/material/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/minimal/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/modern/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/saas/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L12 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L25 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L57 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L113 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L162 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH generic-api-key PREV/assets/libs/quill/quill.min.js : L7 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. e.defa***
HIGH generic-api-key PREV/discoveryWS/clsAuthentication.php : L9 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key PREV/discoveryWS/clsAuthentication.php : L47 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key PREV/discoveryWS/clsAuthentication.php : L68 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key PREV/discoveryWS/dbconn.php : L8 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. Hs10g7***
HIGH private-key PREV/discoveryWS/vendor/firebase/php-jwt/README.md : L112 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. -----B***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH generic-api-key PREV/Template_html/dist/minimal/assets/libs/quill/quill.min.js : L7 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. e.defa***
HIGH gcp-api-key PREV/Template_html/dist/minimal/maps-google.html : L2651 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L12 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L25 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L57 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L113 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/js/pages/leaflet-map.init.js : L162 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key PREV/Template_html/src/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH gcp-api-key PREV/Template_html/src/html/corporate/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/creative/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/default/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/galaxy/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/interactive/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/material/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/minimal/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/modern/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key PREV/Template_html/src/html/saas/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L12 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L25 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L57 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L113 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/js/pages/leaflet-map.init.js : L162 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key PREV/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH generic-api-key PREV/assets/libs/quill/quill.min.js : L7 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. e.defa***
HIGH generic-api-key PREV/discoveryWS/clsAuthentication.php : L9 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key PREV/discoveryWS/clsAuthentication.php : L47 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key PREV/discoveryWS/clsAuthentication.php : L68 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key PREV/discoveryWS/dbconn.php : L8 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. Hs10g7***
HIGH private-key PREV/discoveryWS/vendor/firebase/php-jwt/README.md : L112 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. -----B***
HIGH private-key server/discoverybuilders-6d3a72e4ac90.json : L5 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. -----B***
HIGH generic-api-key server/config.php : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. Hs10g7***
HIGH generic-api-key server/config2.php : L8 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. Hs10g7***
HIGH generic-api-key discoveryWS/clsAuthentication.php : L9 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key discoveryWS/clsAuthentication.php : L47 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key discoveryWS/clsAuthentication.php : L68 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 68V0zW***
HIGH generic-api-key discoveryWS/dbconn.php : L8 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. Hs10g7***
HIGH private-key discoveryWS/vendor/firebase/php-jwt/README.md : L112 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. -----B***
HIGH generic-api-key Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/dist/minimal/assets/js/pages/leaflet-map.init.js : L1 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key Template_html/dist/minimal/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH generic-api-key Template_html/dist/minimal/assets/libs/quill/quill.min.js : L7 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. e.defa***
HIGH gcp-api-key Template_html/dist/minimal/maps-google.html : L2651 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH generic-api-key Template_html/src/assets/js/pages/leaflet-map.init.js : L12 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/src/assets/js/pages/leaflet-map.init.js : L25 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/src/assets/js/pages/leaflet-map.init.js : L57 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/src/assets/js/pages/leaflet-map.init.js : L113 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/src/assets/js/pages/leaflet-map.init.js : L162 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key Template_html/src/assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH gcp-api-key Template_html/src/html/corporate/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/creative/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/default/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/galaxy/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/interactive/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/material/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/minimal/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/modern/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH gcp-api-key Template_html/src/html/saas/maps-google.html : L108 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches. AIzaSy***
HIGH generic-api-key assets/js/pages/leaflet-map.init.js : L12 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key assets/js/pages/leaflet-map.init.js : L25 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key assets/js/pages/leaflet-map.init.js : L57 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key assets/js/pages/leaflet-map.init.js : L113 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key assets/js/pages/leaflet-map.init.js : L162 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. pk.eyJ***
HIGH generic-api-key assets/json/api-key-list.json : L6 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. fef670***
HIGH generic-api-key assets/json/api-key-list.json : L14 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. ed4c0d***
HIGH generic-api-key assets/json/api-key-list.json : L22 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 0b53e8***
HIGH generic-api-key assets/json/api-key-list.json : L30 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. b69ee2***
HIGH generic-api-key assets/json/api-key-list.json : L38 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 33ec3a***
HIGH generic-api-key assets/json/api-key-list.json : L46 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 845403***
HIGH generic-api-key assets/json/api-key-list.json : L54 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. aecc1e***
HIGH generic-api-key assets/json/api-key-list.json : L62 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 8abba6***
HIGH generic-api-key assets/json/api-key-list.json : L70 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. 9e6d33***
HIGH generic-api-key assets/libs/quill/quill.min.js : L7 Detected a Generic API Key, potentially exposing access to various services and sensitive operations. e.defa***

🤖 Análisis Inteligente

Powered by Claude

El agente IA analiza los hallazgos del proyecto y genera un reporte ejecutivo con contexto, priorización y recomendaciones de remediación específicas al stack detectado.

✅ Tracker de Remediaciones

Registra el estado de cada remediación aplicada. Los datos se guardan en el navegador.

WARNING A07:2021-Identification-Auth-Failures
Comparación de secretos con === — vulnerable a Timing Attack, usar crypto.timingSafeEqual

14047 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A03:2021-Injection
setTimeout/setInterval con string en lugar de función — eval implícito

466 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A03:2021-Injection
Asignación con propiedad dinámica puede contaminar __proto__

7438 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A01:2021-Broken-Access-Control
API Gateway sin whitelist de rutas — todas las acciones expuestas por defecto

1510 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A01:2021-Broken-Access-Control
window.location con datos sin validar — posible Open Redirect

274 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A07:2021-XSS
Salida directa sin sanitización (posible XSS)

1323 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A05:2021-Security-Misconfiguration
RegExp construido con input del usuario — posible ReDoS

1498 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A03:2021-Injection
Object.assign con datos externos puede contaminar el prototipo

4 ocurrencias en 4 archivo(s)

⏳ Pendiente
WARNING A02:2021-Cryptographic-Failures
mt_rand()/rand() no son criptográficamente seguros — no usar para tokens

5 ocurrencias en 5 archivo(s)

⏳ Pendiente
WARNING A07:2021-Identification-Auth-Failures
session_start() sin session_regenerate_id() en login — posible Session Fixation

25 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A01:2021
Ruta Slim sin middleware de autenticación detectada

92 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A07:2021
Algoritmo JWT potencialmente inseguro o no validado

3 ocurrencias en 3 archivo(s)

⏳ Pendiente
WARNING A01:2021-Broken-Access-Control
Formulario POST sin verificación de token CSRF

277 ocurrencias en 10 archivo(s)

⏳ Pendiente
WARNING A04:2021
Input obtenido desde Slim Request sin validación explícita

17 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A03:2021-Injection
innerHTML/outerHTML con datos sin sanitizar — DOM XSS

1760 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A03:2021-Injection
insertAdjacentHTML con datos sin sanitizar — DOM XSS

60 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A03:2021-Injection
document.write() con datos dinámicos — DOM XSS

12 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A03:2021-Injection
include/require con variable dinámica — posible LFI/RFI

195 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A03:2021-Injection
new Function() equivale a eval() — posible inyección de código

4 ocurrencias en 4 archivo(s)

⏳ Pendiente
ERROR A07:2021
JWT generado sin claim 'exp'

5 ocurrencias en 5 archivo(s)

⏳ Pendiente
ERROR A02:2021-Cryptographic Failures
JWT::decode usado sin validación explícita de algoritmo

10 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A02:2021-Cryptographic Failures
Uso de hash inseguro (md5/sha1)

18 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A07:2021-XSS
Datos del request enviados en la respuesta sin sanitización

28 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A03:2021-Injection
Uso de input sin validación previa

277 ocurrencias en 10 archivo(s)

⏳ Pendiente
ERROR A05:2021-Security-Misconfiguration
phpinfo() expone configuración completa del servidor

1 ocurrencias en 1 archivo(s)

⏳ Pendiente
📋 Histórico de Auditorías
Fecha Proyecto Score Estado Críticos Secretos Reporte
05/03/2026 12:26 SISTWEB_DiscoveryBuilders 10 (F) 🚨 Crítico 2370 181 Ver
VibeSense
VibeSense Code Auditor v2.0 · Semgrep + Gitleaks + Claude AI
VLIM