CWE 89

  • Resolved redwolfmendoza

    (@redwolfmendoza)


    5 years, 1 month ago

    Greeting AIO,

    Our organization has been leveraging Veracode to scan for- and remediate potential security flaws across all of our corporate websites. Your plugin was recently flagged by Veracode as a source for several ‘High Severity’ flaws (see below) and we are currently exploring options to remediate. This is a concern for us from a security perspective since we have paid for- and installed your plugin on all our websites.

    We are reaching out to you to get your thoughts on their risk assessment of your software and to learn if there is anything we can do on our end to remediate, or if there are any plans to mitigate on your end:

    CWE-89 – “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)”
    Read More: https://cwe.mitre.org/data/definitions/89.html

    1) plugins/all-in-one-wp-migration/lib/vendor/servmask/database/class-ai1wm-database.php: 847

    $query = $this->replace_table_engines( $query );

    2) plugins/all-in-one-wp-migration/lib/vendor/servmask/database/class-ai1wm-database.php: 850

    $this->query( $query );

    3) plugins/all-in-one-wp-migration/lib/vendor/servmask/database/class-ai1wm-database-mysql.php: 39

    return mysql_query( $input, $this->wpdb->dbh );

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Yani

    (@yaniiliev)

    These are false positives – there is nothing on your end that you need to do.

    Thread Starter redwolfmendoza

    (@redwolfmendoza)

    Thanks for the quick reply Yani,

    I will notify our network security team that this is an unlikely scenario. Thanks again!

    Thread Starter redwolfmendoza

    (@redwolfmendoza)

    Hey Yani, I spoke to our Network Security team about the false positive mentioned above, they would like a bit more info. Can you give a brief technical explanation as to why you think these are false positives? Thanks again!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘CWE 89’ is closed to new replies.