VibeSense · Security Audit · SISTWEB_HenP

10 / 100

🚨 Crítico

Grade: F

17282 hallazgos totales en 48 archivos · 27 tipos de vulnerabilidades

🧪 PENTEST
VULNERABILIDADES CRÍTICAS

1152

🔴 Críticos

16003

🟡 Advertencias

🔵 Informativos

110

🔑 Secretos

📁 Archivos

⚡ Tipos

📊 OWASP Top 10 — Categorías Afectadas

📈 Historial de Score — SISTWEB_HenP_24

🛡️ Análisis por Categoría OWASP Top 10:2021

A07:2021-Identification-Auth-Failures 8403

A07:2021-Identification-Auth-Failures

A03:2021-Injection 5140

A03:2021-Injection

A07:2021-XSS 1968

A07:2021-XSS

A01:2021-Broken-Access-Control 823

A01:2021-Broken-Access-Control

A05:2021-Security-Misconfiguration 768

A05:2021-Security-Misconfiguration

A02:2021 110

Cryptographic Failures

A01:2021 60

Broken Access Control

A02:2021-Cryptographic Failures 4

A02:2021-Cryptographic Failures

A07:2021 3

Identification & Auth Failures

A04:2021 2

Insecure Design

A02:2021-Cryptographic-Failures 1

A02:2021-Cryptographic-Failures

🔍 Hallazgos de Seguridad

Severidad	Cantidad	Vulnerabilidad · Detalle · Mitigación
🟡 WARNING MEDIUM	8400	A07:2021-Identification-Auth-Failures CWE-208 Comparación de secretos con === — vulnerable a Timing Attack, usar crypto.timingSafeEqual 📁 10 archivos afectados `/src/HTML_template/src/assets/js/app.js : L23` `/src/HTML_template/src/assets/js/app.js : L66` `/src/HTML_template/src/assets/js/app.js : L66` `/src/HTML_template/src/assets/js/app.js : L311` `/src/HTML_template/src/assets/js/app.js : L323` `/src/HTML_template/src/assets/js/app.js : L763` `/src/HTML_template/src/assets/js/app.js : L768` `/src/HTML_template/src/assets/js/app.js : L786` `/src/HTML_template/src/assets/js/app.js : L1152` `/src/HTML_template/src/assets/js/app.js : L1160` 🛠 Mitigación recomendada — Timing Attack en comparación de secretos ⚠️ Riesgo: La comparación con === tiene tiempo variable según el punto de fallo, permitiendo a un atacante adivinar tokens o hashes bit a bit mediante análisis de tiempo de respuesta. Pasos de remediación: Usar crypto.timingSafeEqual() para comparar tokens y hashes. Convertir ambos strings a Buffer antes de comparar. Nunca comparar tokens JWT o API keys con === o ==. Para contraseñas, usar bcrypt.compare() que ya es timing-safe. Ejemplo de código: const crypto = require('crypto'); const expected = Buffer.from(process.env.API_TOKEN); const received = Buffer.from(req.headers['x-api-key'] \|\| ''); if (expected.length !== received.length \|\| !crypto.timingSafeEqual(expected, received)) { return res.status(401).json({ error: 'Unauthorized' }); } 🎯 Vector de Pentest: Timing Attack, Token Brute Force
🟡 WARNING	271	A03:2021-Injection CWE-95 setTimeout/setInterval con string en lugar de función — eval implícito 📁 10 archivos afectados `/src/HTML_template/src/assets/js/app.js : L1122` `/src/HTML_template/src/assets/js/app.js : L1704` `/src/HTML_template/src/assets/js/app.js : L1712` `/src/HTML_template/src/assets/js/app.js : L1797` `/src/HTML_template/src/assets/js/app.js : L2015` `/src/HTML_template/src/assets/js/pages/api-key.init.js : L206` `/src/HTML_template/src/assets/js/pages/api-key.init.js : L223` `/src/HTML_template/src/assets/js/pages/apps-nft-auction.init.js : L68` `/src/HTML_template/src/assets/js/pages/apps-nft-auction.init.js : L72` `/src/HTML_template/src/assets/js/pages/apps-nft-auction.init.js : L76`
🟡 WARNING	3892	A03:2021-Injection CWE-1321 Asignación con propiedad dinámica puede contaminar __proto__ 📁 10 archivos afectados `/src/HTML_template/src/assets/js/app.js : L1872` `/src/HTML_template/src/assets/js/app.js : L1884` `/src/HTML_template/src/assets/js/app.js : L1885` `/src/HTML_template/src/assets/js/app.js : L1886` `/src/HTML_template/src/assets/js/app.js : L1887` `/src/HTML_template/src/assets/js/app.js : L1888` `/src/HTML_template/src/assets/js/app.js : L1889` `/src/HTML_template/src/assets/js/app.js : L1890` `/src/HTML_template/src/assets/js/app.js : L1891` `/src/HTML_template/src/assets/js/app.js : L1892`
🟡 WARNING HIGH	757	A01:2021-Broken-Access-Control CWE-285 API Gateway sin whitelist de rutas — todas las acciones expuestas por defecto 📁 10 archivos afectados `/src/HTML_template/src/assets/js/pages/apexcharts-line.init.js : L822` `/src/backoffice/assets/js/pages/apexcharts-line.init.js : L1` `/src/backoffice/assets/libs/gmaps/lib/gmaps.geometry.js : L16` `/src/backoffice/assets/libs/gmaps/lib/gmaps.routes.js : L71` `/src/backoffice/assets/libs/gmaps/lib/gmaps.routes.js : L100` `/src/backoffice/assets/libs/gmaps/lib/gmaps.routes.js : L159` `/src/backoffice/assets/libs/gmaps/lib/gmaps.routes.js : L248` `/src/backoffice/assets/libs/gmaps/lib/gmaps.routes.js : L277` `/src/backoffice/assets/libs/gmaps/lib/gmaps.routes.js : L306` `/src/backoffice/assets/libs/jsvectormap/maps/canada.js : L1` 🛠 Mitigación recomendada — API Gateway Moleculer sin whitelist de rutas ⚠️ Riesgo: Sin whitelist, el gateway expone automáticamente todas las acciones de todos los servicios registrados, incluyendo acciones internas o de administración. Pasos de remediación: Definir whitelist explícita con las rutas permitidas. Usar aliases para mapear rutas HTTP a acciones específicas. Marcar acciones internas con visibility: 'protected' o 'private'. Revisar periódicamente qué acciones están expuestas en el gateway. Implementar el hook authorize() para verificar permisos por ruta. Ejemplo de código: // Correcto { path: '/api', whitelist: [ 'users.login', 'users.register', 'products.list' ], aliases: { 'POST /login': 'users.login', 'GET /products': 'products.list' } } 🎯 Vector de Pentest: Unauthorized API Access, Internal Action Exposure
🟡 WARNING	17	A01:2021-Broken-Access-Control CWE-601 window.location con datos sin validar — posible Open Redirect 📁 10 archivos afectados `/src/HTML_template/src/assets/js/pages/invoicecreate.init.js : L556` `/src/backoffice/Mis_Eventos/mis_eventos.js : L273` `/src/backoffice/Mis_Eventos/mis_eventos.js : L643` `/src/backoffice/Mis_Eventos/mis_eventos.js : L649` `/src/backoffice/assets/js/pages/invoicecreate.init.js : L1` `/src/backoffice/assets/libs/toastify-js/src/toastify-es.js : L312` `/src/backoffice/assets/libs/toastify-js/src/toastify.js : L234` `/src/backoffice/client-events/module_clientEvents.js : L878` `/src/backoffice/client-events/module_clientEvents.js : L1003` `/src/backoffice/event-register/module_eventRegister.js : L1283`
🟡 WARNING HIGH	1791	A07:2021-XSS Salida directa sin sanitización (posible XSS) 📁 10 archivos afectados `/src/backoffice/Mis_Eventos/index.php : L3` `/src/backoffice/Mis_Eventos/index.php : L4` `/src/backoffice/Mis_Eventos/index.php : L4` `/src/backoffice/Mis_Eventos/index.php : L62` `/src/backoffice/Mis_Eventos/index.php : L62` `/src/backoffice/Mis_Eventos/index.php : L121` `/src/backoffice/Mis_Eventos/index.php : L121` `/src/backoffice/Mis_Eventos/index.php : L121` `/src/backoffice/Mis_Eventos/index.php : L121` `/src/backoffice/Mis_Eventos/index.php : L121` 🛠 Mitigación recomendada — Salida directa sin sanitización (XSS) ⚠️ Riesgo: Imprimir datos sin sanitizar permite ataques Cross-Site Scripting que pueden robar sesiones o ejecutar código malicioso. Pasos de remediación: Usar htmlspecialchars() con ENT_QUOTES y charset UTF-8. Usar htmlentities() como alternativa más completa. Implementar una Content Security Policy (CSP) en el servidor. Considerar usar un template engine que escape automáticamente (Twig). Nunca imprimir directamente datos de $_GET, $_POST, $_COOKIE. Ejemplo de código: echo htmlspecialchars($var, ENT_QUOTES, 'UTF-8'); 🎯 Vector de Pentest: Reflected XSS, Stored XSS, Cookie Theft
🟡 WARNING	758	A05:2021-Security-Misconfiguration CWE-1333 RegExp construido con input del usuario — posible ReDoS 📁 10 archivos afectados `/src/backoffice/assets/libs/choices.js/src/scripts/choices.ts : L210` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ac.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ac.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ac.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ad.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ad.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ad.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ae.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ae.js : L35` `/src/backoffice/assets/libs/cleave.js/addons/cleave-phone.ae.js : L35`
🟡 WARNING	8	A03:2021-Injection CWE-1321 Object.assign con datos externos puede contaminar el prototipo 📁 8 archivos afectados `/src/backoffice/assets/libs/swiper/components-shared/get-params.js : L16` `/src/backoffice/assets/libs/swiper/modules/thumbs/thumbs.js : L60` `/src/front/assets/vendors/bootstrap/js/bootstrap.bundle.js : L2508` `/src/front/assets/vendors/bootstrap/js/bootstrap.bundle.js : L3322` `/src/front/assets/vendors/bootstrap/js/bootstrap.bundle.js : L3659` `/src/front/src/static/assets/vendors/bootstrap/js/bootstrap.bundle.js : L2508` `/src/front/src/static/assets/vendors/bootstrap/js/bootstrap.bundle.js : L3322` `/src/front/src/static/assets/vendors/bootstrap/js/bootstrap.bundle.js : L3659`
🟡 WARNING	3	A07:2021-Identification-Auth-Failures CWE-384 session_start() sin session_regenerate_id() en login — posible Session Fixation 📁 3 archivos afectados `/src/backoffice/components/header.php : L19` `/src/ws_hisPapel/index.php : L105` `/src/ws_hisPapel/index.php : L163`
🟡 WARNING	60	A01:2021 Ruta Slim sin middleware de autenticación detectada 📁 10 archivos afectados `/src/ws_hisPapel/index.php : L72` `/src/ws_hisPapel/index.php : L188` `/src/ws_hisPapel/index.php : L229` `/src/ws_hisPapel/index.php : L289` `/src/ws_hisPapel/index.php : L579` `/src/ws_hisPapel/index.php : L657` `/src/ws_hisPapel/index.php : L1108` `/src/ws_hisPapel/index.php : L1181` `/src/ws_hisPapel/index.php : L1226` `/src/ws_hisPapel/index.php : L1389`
🟡 WARNING	35	A01:2021-Broken-Access-Control CWE-352 Formulario POST sin verificación de token CSRF 📁 10 archivos afectados `/src/ws_hisPapel/index.php : L1112` `/src/ws_hisPapel/index.php : L1126` `/src/ws_hisPapel/index.php : L1127` `/src/ws_hisPapel/index.php : L1128` `/src/ws_hisPapel/index.php : L1392` `/src/ws_hisPapel/index.php : L1659` `/src/ws_hisPapel/index.php : L1659` `/src/ws_hisPapel/index.php : L1662` `/src/ws_hisPapel/index.php : L1663` `/src/ws_hisPapel/index.php : L1664`
🟡 WARNING	2	A04:2021 Input obtenido desde Slim Request sin validación explícita 📁 2 archivos afectados `/src/ws_hisPapel/index.php : L1191` `/src/ws_hisPapel/index.php : L6463`
🟡 WARNING	7	A05:2021-Security-Misconfiguration CWE-400 Upload sin verificar tamaño — posible DoS por archivos grandes 📁 7 archivos afectados `/src/ws_hisPapel/index.php : L3843` `/src/ws_hisPapel/index.php : L4153` `/src/ws_hisPapel/index.php : L4157` `/src/ws_hisPapel/index.php : L4192` `/src/ws_hisPapel/index.php : L4203` `/src/ws_hisPapel/index.php : L5070` `/src/ws_hisPapel/index.php : L5078`
🟡 WARNING	1	A07:2021 Algoritmo JWT potencialmente inseguro o no validado 📁 1 archivo afectado `/src/ws_hisPapel/middlewares/validateToken.php : L26`
🟡 WARNING	1	A02:2021-Cryptographic-Failures CWE-338 mt_rand()/rand() no son criptográficamente seguros — no usar para tokens 📁 1 archivo afectado `/src/ws_hisPapel/utils/utils.php : L26`
🔵 INFO	14	A01:2021-Broken-Access-Control CWE-285 fetch() a API interna sin header de Authorization — petición no autenticada 📁 10 archivos afectados `/src/backoffice/eventos-invitados/eventos_invitados.js : L989` `/src/backoffice/js/methods.js : L17` `/src/backoffice/js/methods.js : L30` `/src/backoffice/js/methods.js : L41` `/src/backoffice/ver_Invitacion/verInvitacion.js : L6` `/src/backoffice/ver_Invitacion/verInvitacion.js : L16` `/src/contactenos.js : L105` `/src/front/checkout/app.js : L129` `/src/front/checkout/app.js : L177` `/src/front/checkout/conekta.js : L129`
🔵 INFO	3	A05:2021-Security-Misconfiguration CWE-200 var_dump()/print_r() — posible exposición de datos en producción 📁 3 archivos afectados `/src/ws_hisPapel/index.php : L6220` `/src/ws_hisPapel/index.php : L6254` `/src/ws_hisPapel/index.php : L6362`
🔴 ERROR HIGH	812	A03:2021-Injection CWE-79 innerHTML/outerHTML con datos sin sanitizar — DOM XSS 📁 10 archivos afectados `/src/HTML_template/src/assets/js/app.js : L372` `/src/HTML_template/src/assets/js/app.js : L375` `/src/HTML_template/src/assets/js/app.js : L420` `/src/HTML_template/src/assets/js/app.js : L609` `/src/HTML_template/src/assets/js/app.js : L611` `/src/HTML_template/src/assets/js/app.js : L984` `/src/HTML_template/src/assets/js/app.js : L996` `/src/HTML_template/src/assets/js/app.js : L1011` `/src/HTML_template/src/assets/js/app.js : L1031` `/src/HTML_template/src/assets/js/app.js : L1057` 🛠 Mitigación recomendada — innerHTML con datos sin sanitizar — DOM XSS ⚠️ Riesgo: Asignar contenido sin sanitizar a innerHTML permite DOM-based XSS que ejecuta en el contexto del usuario, pudiendo robar cookies, tokens o realizar acciones en su nombre. Pasos de remediación: Usar textContent en lugar de innerHTML para texto plano. Si se necesita HTML, sanitizar con DOMPurify antes de asignar. Crear elementos DOM con createElement() y appendChild() en lugar de innerHTML. Implementar una Content Security Policy (CSP) como defensa en profundidad. Ejemplo de código: // Correcto — texto plano element.textContent = userInput; // Correcto — HTML sanitizado import DOMPurify from 'dompurify'; element.innerHTML = DOMPurify.sanitize(userInput); // Incorrecto element.innerHTML = userInput; 🎯 Vector de Pentest: DOM XSS, Cookie Theft, Session Hijacking
🔴 ERROR	32	A03:2021-Injection CWE-79 insertAdjacentHTML con datos sin sanitizar — DOM XSS 📁 10 archivos afectados `/src/HTML_template/src/assets/js/app.js : L1162` `/src/HTML_template/src/assets/js/pages/card.init.js : L17` `/src/HTML_template/src/assets/js/pages/card.init.js : L36` `/src/HTML_template/src/assets/js/pages/card.init.js : L56` `/src/HTML_template/src/assets/js/pages/chat.init.js : L732` `/src/HTML_template/src/assets/js/pages/chat.init.js : L831` `/src/HTML_template/src/assets/js/pages/file-manager.init.js : L270` `/src/HTML_template/src/assets/js/pages/job-grid-list.init.js : L54` `/src/HTML_template/src/assets/js/pages/tasks-kanban.init.js : L124` `/src/HTML_template/src/assets/js/pages/tasks-kanban.init.js : L166`
🔴 ERROR	6	A03:2021-Injection CWE-79 document.write() con datos dinámicos — DOM XSS 📁 6 archivos afectados `/src/HTML_template/src/assets/js/plugins.js : L12` `/src/HTML_template/src/assets/js/plugins.js : L13` `/src/HTML_template/src/assets/js/plugins.js : L14` `/src/backoffice/assets/js/plugins.js : L1` `/src/backoffice/assets/js/plugins.js : L1` `/src/backoffice/assets/js/plugins.js : L1`
🔴 ERROR CRITICAL	75	A03:2021-Injection CWE-98 include/require con variable dinámica — posible LFI/RFI 📁 10 archivos afectados `/src/backoffice/Mis_Eventos/index.php : L2` `/src/backoffice/Mis_Eventos/index.php : L413` `/src/backoffice/QR_scanner/index.php : L2` `/src/backoffice/QR_scanner/index.php : L117` `/src/backoffice/backOffice-user/index.php : L2` `/src/backoffice/backOffice-user/index.php : L181` `/src/backoffice/categorias/index.php : L2` `/src/backoffice/categorias/index.php : L138` `/src/backoffice/client-events/index.php : L2` `/src/backoffice/client-events/index.php : L240` 🛠 Mitigación recomendada — include/require dinámico — LFI/RFI ⚠️ Riesgo: Local File Inclusion permite leer archivos del servidor (/etc/passwd, logs) o ejecutar código. Remote File Inclusion permite cargar y ejecutar código desde un servidor remoto. Pasos de remediación: Usar un mapa de archivos permitidos (whitelist) en lugar de paths dinámicos. Validar el valor contra una lista fija de opciones permitidas. Nunca incluir rutas que vengan de $_GET, $_POST, o $_COOKIE. Deshabilitar allow_url_include en php.ini. Usar basename() o realpath() y verificar que el resultado esté dentro del directorio permitido. Ejemplo de código: $allowed = ['home' => 'home.php', 'about' => 'about.php']; $page = $allowed[$_GET['page']] ?? 'home.php'; include 'pages/' . $page; 🎯 Vector de Pentest: Local File Inclusion (LFI), Remote File Inclusion (RFI)
🔴 ERROR	2	A03:2021-Injection CWE-95 new Function() equivale a eval() — posible inyección de código 📁 2 archivos afectados `/src/backoffice/assets/libs/card/card.js : L1` `/src/backoffice/assets/libs/card/jquery.card.js : L1`
🔴 ERROR HIGH	2	A07:2021 JWT generado sin claim 'exp' 📁 2 archivos afectados `/src/ws_hisPapel/clsAuthentication.php : L26` `/src/ws_hisPapel/middlewares/validateToken.php : L26` 🛠 Mitigación recomendada — JWT sin expiración en PHP ⚠️ Riesgo: Tokens sin expiración permiten accesos indefinidos. Si un token es comprometido, permanece válido para siempre. Pasos de remediación: Agregar el claim 'exp' al payload del JWT. Definir una expiración corta (3600 = 1 hora). Validar la expiración explícitamente al verificar el token. Usar el claim 'iat' (issued at) para rastrear la emisión. Implementar revocación de tokens en base de datos o cache. Ejemplo de código: $payload = ['sub' => $userId, 'exp' => time() + 3600, 'iat' => time()]; $token = JWT::encode($payload, $secretKey, 'HS256'); 🎯 Vector de Pentest: Token Replay, Session Persistence After Logout
🔴 ERROR	4	A02:2021-Cryptographic Failures JWT::decode usado sin validación explícita de algoritmo 📁 4 archivos afectados `/src/ws_hisPapel/clsAuthentication.php : L36` `/src/ws_hisPapel/clsAuthentication.php : L53` `/src/ws_hisPapel/middlewares/validateToken.php : L34` `/src/ws_hisPapel/middlewares/validateToken.php : L51`
🔴 ERROR	177	A07:2021-XSS Datos del request enviados en la respuesta sin sanitización 📁 10 archivos afectados `/src/ws_hisPapel/index.php : L68` `/src/ws_hisPapel/index.php : L137` `/src/ws_hisPapel/index.php : L151` `/src/ws_hisPapel/index.php : L172` `/src/ws_hisPapel/index.php : L182` `/src/ws_hisPapel/index.php : L209` `/src/ws_hisPapel/index.php : L221` `/src/ws_hisPapel/index.php : L269` `/src/ws_hisPapel/index.php : L281` `/src/ws_hisPapel/index.php : L339`
🔴 ERROR	35	A03:2021-Injection Uso de input sin validación previa 📁 10 archivos afectados `/src/ws_hisPapel/index.php : L1112` `/src/ws_hisPapel/index.php : L1126` `/src/ws_hisPapel/index.php : L1127` `/src/ws_hisPapel/index.php : L1128` `/src/ws_hisPapel/index.php : L1392` `/src/ws_hisPapel/index.php : L1659` `/src/ws_hisPapel/index.php : L1659` `/src/ws_hisPapel/index.php : L1662` `/src/ws_hisPapel/index.php : L1663` `/src/ws_hisPapel/index.php : L1664`
🔴 ERROR CRITICAL	7	A03:2021-Injection CWE-434 Upload de archivo sin validación de tipo MIME — posible subida de webshell 📁 7 archivos afectados `/src/ws_hisPapel/index.php : L3843` `/src/ws_hisPapel/index.php : L4153` `/src/ws_hisPapel/index.php : L4157` `/src/ws_hisPapel/index.php : L4192` `/src/ws_hisPapel/index.php : L4203` `/src/ws_hisPapel/index.php : L5070` `/src/ws_hisPapel/index.php : L5078` 🛠 Mitigación recomendada — Upload de archivo sin validación de tipo — Webshell Upload ⚠️ Riesgo: Sin validar el tipo de archivo, un atacante puede subir una webshell PHP (.php, .phtml, .php5) y ejecutar comandos en el servidor. Pasos de remediación: Validar extensión: usar pathinfo() y comparar contra whitelist de extensiones permitidas. Validar MIME type real con finfo_file() (no confiar en el MIME del cliente). Renombrar el archivo al guardar (UUID + extensión controlada). Guardar uploads FUERA del webroot o en un directorio sin ejecución de PHP. Configurar el servidor web para no ejecutar scripts en el directorio de uploads. Verificar el tamaño máximo del archivo. Ejemplo de código: $allowed_ext = ['jpg', 'jpeg', 'png', 'gif', 'pdf']; $ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION)); if (!in_array($ext, $allowed_ext)) die('Tipo no permitido'); $finfo = finfo_open(FILEINFO_MIME_TYPE); $mime = finfo_file($finfo, $_FILES['file']['tmp_name']); if (!in_array($mime, ['image/jpeg', 'image/png'])) die('MIME no permitido'); $newname = bin2hex(random_bytes(16)) . '.' . $ext; move_uploaded_file($_FILES['file']['tmp_name'], '/uploads/' . $newname); 🎯 Vector de Pentest: File Upload Bypass, Webshell Upload, RCE

🔑 Secretos y Credenciales Expuestas (Gitleaks)

⚠️ Acción requerida: Se encontraron 110 secreto(s) expuesto(s). Rotar inmediatamente todas las credenciales detectadas.

Severidad	Tipo	Archivo : Línea	Descripción	Preview
HIGH	`generic-api-key`	ws_hisPapel/envio.php : L3	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`DQCcwV***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L3514	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`DQCcwV***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L7229	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`DQCcwV***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L7318	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`DQCcwV***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L7264	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`DQCcwV***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L4347	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`DQCcwV***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L5024	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`3e711a***`
HIGH	`generic-api-key`	ws_hisPapel/index.php : L5024	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`3e711a***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L2	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EB1Zj7***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L5	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EJ3i95***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L2	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EB1Zj7***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L5	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EJ3i95***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L9	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EAw-Il***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L2	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EB1Zj7***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L5	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EJ3i95***`
HIGH	`generic-api-key`	ws_hisPapel/.env : L2	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`EB1Zj7***`
HIGH	`generic-api-key`	front/docs/components/map.html : L229	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	front/docs/components/map.html : L258	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	front/docs/components/map.html : L287	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	front/docs/components/map.html : L316	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	front/docs/components/map.html : L345	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	front/src/data/mapbox_access_token.yml : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	ws_hisPapel/clsAuthentication.php : L8	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`68V0zW***`
HIGH	`generic-api-key`	ws_hisPapel/clsAuthentication.php : L62	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`68V0zW***`
HIGH	`generic-api-key`	ws_hisPapel/clsAuthentication.php : L100	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`68V0zW***`
HIGH	`generic-api-key`	ws_hisPapel/clsAuthentication.php : L121	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`68V0zW***`
HIGH	`generic-api-key`	assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L6	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`fef670***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L14	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`ed4c0d***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L22	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`0b53e8***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L30	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`b69ee2***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L38	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`33ec3a***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L46	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`845403***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L54	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`aecc1e***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L62	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`8abba6***`
HIGH	`generic-api-key`	assets/json/api-key-list.json : L70	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`9e6d33***`
HIGH	`generic-api-key`	assets/libs/quill/quill.min.js : L7	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`e.defa***`
HIGH	`generic-api-key`	HTML/src/assets/js/pages/leaflet-map.init.js : L12	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/src/assets/js/pages/leaflet-map.init.js : L25	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/src/assets/js/pages/leaflet-map.init.js : L57	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/src/assets/js/pages/leaflet-map.init.js : L113	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/src/assets/js/pages/leaflet-map.init.js : L162	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L6	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`fef670***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L14	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`ed4c0d***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L22	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`0b53e8***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L30	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`b69ee2***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L38	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`33ec3a***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L46	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`845403***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L54	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`aecc1e***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L62	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`8abba6***`
HIGH	`generic-api-key`	HTML/src/assets/json/api-key-list.json : L70	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`9e6d33***`
HIGH	`gcp-api-key`	HTML/src/html/corporate/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/creative/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/default/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/galaxy/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/interactive/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/material/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/minimal/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/modern/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HTML/src/html/saas/maps-google.html : L108	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/js/pages/leaflet-map.init.js : L1	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`pk.eyJ***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L6	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`fef670***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L14	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`ed4c0d***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L22	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`0b53e8***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L30	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`b69ee2***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L38	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`33ec3a***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L46	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`845403***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L54	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`aecc1e***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L62	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`8abba6***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/json/api-key-list.json : L70	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`9e6d33***`
HIGH	`generic-api-key`	HTML/dist/corporate/assets/libs/quill/quill.min.js : L7	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`e.defa***`
HIGH	`gcp-api-key`	HTML/dist/corporate/maps-google.html : L2715	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`generic-api-key`	ws_hisPapel/middlewares/AESAlgorithm.php : L9	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`P3htbL***`
HIGH	`generic-api-key`	ws_hisPapel/middlewares/AESAlgorithm.php : L10	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`32c3+3***`
HIGH	`generic-api-key`	ws_hisPapel/middlewares/validateToken.php : L10	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`xNyle6***`
HIGH	`private-key`	ws_hisPapel/vendor/firebase/php-jwt/README.md : L112	Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.	`-----B***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L7	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`fef670***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L15	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`ed4c0d***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L23	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`0b53e8***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L31	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`b69ee2***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L39	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`33ec3a***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L47	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`845403***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L55	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`aecc1e***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L63	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`8abba6***`
HIGH	`generic-api-key`	HEP_2024_frontend/src/common/data/apiKey.js : L71	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`9e6d33***`
HIGH	`gcp-api-key`	HEP_2024_frontend/src/views/maps/google.vue : L303	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HEP_2024_frontend/src/views/maps/google.vue : L313	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HEP_2024_frontend/src/views/maps/google.vue : L329	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	HEP_2024_frontend/src/views/maps/google.vue : L341	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L7	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`fef670***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L15	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`ed4c0d***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L23	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`0b53e8***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L31	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`b69ee2***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L39	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`33ec3a***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L47	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`845403***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L55	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`aecc1e***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L63	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`8abba6***`
HIGH	`generic-api-key`	template_corporate/src/common/data/apiKey.js : L71	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	`9e6d33***`
HIGH	`gcp-api-key`	template_corporate/src/views/maps/google.vue : L303	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	template_corporate/src/views/maps/google.vue : L313	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	template_corporate/src/views/maps/google.vue : L329	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`
HIGH	`gcp-api-key`	template_corporate/src/views/maps/google.vue : L341	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	`AIzaSy***`

🤖 Análisis Inteligente

El agente IA analiza los hallazgos del proyecto y genera un reporte ejecutivo con contexto, priorización y recomendaciones de remediación específicas al stack detectado.

✅ Tracker de Remediaciones

Registra el estado de cada remediación aplicada. Los datos se guardan en el navegador.

WARNING A07:2021-Identification-Auth-Failures
Comparación de secretos con === — vulnerable a Timing Attack, usar crypto.timingSafeEqual

8400 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A03:2021-Injection
setTimeout/setInterval con string en lugar de función — eval implícito

271 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A03:2021-Injection
Asignación con propiedad dinámica puede contaminar __proto__

3892 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A01:2021-Broken-Access-Control
API Gateway sin whitelist de rutas — todas las acciones expuestas por defecto

757 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A01:2021-Broken-Access-Control
window.location con datos sin validar — posible Open Redirect

17 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A07:2021-XSS
Salida directa sin sanitización (posible XSS)

1791 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A05:2021-Security-Misconfiguration
RegExp construido con input del usuario — posible ReDoS

758 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A03:2021-Injection
Object.assign con datos externos puede contaminar el prototipo

8 ocurrencias en 8 archivo(s)

⏳ Pendiente

WARNING A07:2021-Identification-Auth-Failures
session_start() sin session_regenerate_id() en login — posible Session Fixation

3 ocurrencias en 3 archivo(s)

⏳ Pendiente

WARNING A01:2021
Ruta Slim sin middleware de autenticación detectada

60 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A01:2021-Broken-Access-Control
Formulario POST sin verificación de token CSRF

35 ocurrencias en 10 archivo(s)

⏳ Pendiente

WARNING A04:2021
Input obtenido desde Slim Request sin validación explícita

2 ocurrencias en 2 archivo(s)

⏳ Pendiente

WARNING A05:2021-Security-Misconfiguration
Upload sin verificar tamaño — posible DoS por archivos grandes

7 ocurrencias en 7 archivo(s)

⏳ Pendiente

WARNING A07:2021
Algoritmo JWT potencialmente inseguro o no validado

1 ocurrencias en 1 archivo(s)

⏳ Pendiente

WARNING A02:2021-Cryptographic-Failures
mt_rand()/rand() no son criptográficamente seguros — no usar para tokens

1 ocurrencias en 1 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
innerHTML/outerHTML con datos sin sanitizar — DOM XSS

812 ocurrencias en 10 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
insertAdjacentHTML con datos sin sanitizar — DOM XSS

32 ocurrencias en 10 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
document.write() con datos dinámicos — DOM XSS

6 ocurrencias en 6 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
include/require con variable dinámica — posible LFI/RFI

75 ocurrencias en 10 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
new Function() equivale a eval() — posible inyección de código

2 ocurrencias en 2 archivo(s)

⏳ Pendiente

ERROR A07:2021
JWT generado sin claim 'exp'

2 ocurrencias en 2 archivo(s)

⏳ Pendiente

ERROR A02:2021-Cryptographic Failures
JWT::decode usado sin validación explícita de algoritmo

4 ocurrencias en 4 archivo(s)

⏳ Pendiente

ERROR A07:2021-XSS
Datos del request enviados en la respuesta sin sanitización

177 ocurrencias en 10 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
Uso de input sin validación previa

35 ocurrencias en 10 archivo(s)

⏳ Pendiente

ERROR A03:2021-Injection
Upload de archivo sin validación de tipo MIME — posible subida de webshell

7 ocurrencias en 7 archivo(s)

⏳ Pendiente

📋 Histórico de Auditorías

Fecha	Proyecto	Score	Estado	Críticos	Secretos	Reporte
04/03/2026 21:45	SISTWEB_HenP_24	10 (F)	🚨 Crítico	1152	110	Ver

VibeSense Security Audit

🚨 Crítico

📊 OWASP Top 10 — Categorías Afectadas

📈 Historial de Score — SISTWEB_HenP_24

🤖 Análisis Inteligente