initial shortcut modal #16593

differsthecat · 2025-09-25T13:41:03Z

🎟️ Tracking

📔 Objective

📸 Screenshots

⏰ Reminders before review

Contributor guidelines followed
All formatters and local linters executed and passed
Written new unit and / or integration tests where applicable
Protected functional changes with optionality (feature flags)
Used internationalization (i18n) for all UI strings
CI builds passed
Communicated to DevOps any deployment requirements
Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

👍 (:+1:) or similar for great changes
📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
❓ (:question:) for questions
🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
🎨 (:art:) for suggestions / improvements
❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
⛏ (:pick:) for minor or nitpick changes

sonarqubecloud · 2025-09-25T13:47:01Z

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2025-09-25T13:51:26Z

Checkmarx One – Scan Summary & Details – 1c17e32c-c82b-4f8b-a1bf-6a8f931da754

New Issues (54)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2024-40643	Npm-htmlparser2-3.10.1	details Recommended version: 5.0.0 Description: Joplin is a free, open-source note-taking and to-do application. Joplin fails to consider that "<" followed by a non-letter character will not be c... Attack Vector: NETWORK Attack Complexity: LOW `ID: P4cByXzaQLt2SU%2BPknntV1tzZfXdBQLEuEYi6KqC8xg%3D` Vulnerable Package
CVE-2025-7783	Npm-form-data-3.0.3	details Recommended version: 3.0.4 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program... Attack Vector: NETWORK Attack Complexity: HIGH `ID: DRH%2FfvtUjK54HPxGL%2BZs2Re0jVqqw%2BjAaaPo31cJ%2BX0%3D` Vulnerable Package
CVE-2025-7783	Npm-axios-1.10.0	details Recommended version: 1.12.0 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program... Attack Vector: NETWORK Attack Complexity: HIGH `ID: OAxegggvUXbUuhuUmPenHHPrwdBXv2f7hwUDOpRjV30%3D` Vulnerable Package
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 311	details Method Lambda at line 311 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... `ID: yanz3IZH8dvTWCSC0o6MAhP2hS0%3D` Attack Vector
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 343	details Method Lambda at line 343 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... `ID: MejsPiMqgdOoFERi%2F%2FKCW9XKZ2s%3D` Attack Vector
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 343	details Method Lambda at line 343 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... `ID: 51PTnSHYZc51x5GxMo6f4UeWhNE%3D` Attack Vector
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 311	details Method Lambda at line 311 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... `ID: rnn3zh6RKkCbfpwXRQbjo%2Bc7dW4%3D` Attack Vector
CVE-2025-10500	Npm-electron-36.8.1	details Recommended version: 38.1.2 Description: Use After Free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW `ID: B08pzLrK%2BbQtB1hqoEBFbAzrp7UGur8CWIS%2FPZEFxb0%3D` Vulnerable Package
CVE-2025-58754	Npm-axios-1.10.0	details Recommended version: 1.12.0 Description: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.12.0 runs on Node.js and is given a URL with the "d... Attack Vector: NETWORK Attack Complexity: LOW `ID: Jc0%2FQJnqLCw%2BsIPIjIm7kuBWoKqjL3O3vzJEOrZn6jA%3D` Vulnerable Package
CVE-2025-8880	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Race in V8 in Google Chrome through 139.0.7258.126 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: LOW `ID: jWDKJIR%2FOATg1OfwnL60BFAk593Jv84qhbgGvI53dZo%3D` Vulnerable Package
CVE-2025-8882	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Use after free in Aura in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to... Attack Vector: NETWORK Attack Complexity: LOW `ID: 6PvjkrpRWpdBnklJ83QZ8IciSKde%2BjhpM8um2KmUF8A%3D` Vulnerable Package
CVE-2025-8901	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Out-of-bounds Write in ANGLE in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to perform out-of-bounds memory access via a crafte... Attack Vector: NETWORK Attack Complexity: LOW `ID: sX%2Bn9oVfH3p9fp%2Bm7FYLuxXPwLpCz4riwkKuoWUgsL0%3D` Vulnerable Package
CVE-2025-9132	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Out-of-bounds Write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW `ID: I%2FnWpPM%2BrNBs0fbxKqiyW167XBAsOToK6Tyw5StlrUc%3D` Vulnerable Package
CVE-2025-9478	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW `ID: HZJzgmGtT5%2F45eRgp1bLcxpfhwYrXm7wR1FdAVuJf2A%3D` Vulnerable Package
CVE-2025-9864	Npm-electron-36.8.1	details Recommended version: 38.1.0 Description: Use After Free in V8 in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: LOW `ID: w4iTLlxGVoL1IhSbsFSI5Nta6qjuUpHyeamJHNM1YL0%3D` Vulnerable Package
CVE-2025-9866	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Inappropriate implementation in Extensions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to bypass content security policy via ... Attack Vector: NETWORK Attack Complexity: LOW `ID: bMGFZpozbM1gyckyflA0dMW1qS3uWktTJRlJRPfD5MY%3D` Vulnerable Package
Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... `ID: J8h77eFiSWyRh3XTl0AMwUPdp0s%3D` Attack Vector
Cx39aef355-ca85	Npm-@eslint/plugin-kit-0.2.8	details Recommended version: 0.3.4 Description: The "ConfigCommentParser#parseJSONLikeConfig" API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. This... Attack Vector: NETWORK Attack Complexity: LOW `ID: XdyhcomSosl7d9S%2Bgt2b0t9Y%2FGFuy%2BRDyV2%2B98l0Mo4%3D` Vulnerable Package
Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7eu6iePTF9dScD9Lh1bOBYRoyU3PzzHyBFXnkI1oBeM%3D` Vulnerable Package
Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 380	details Method Lambda at line 380 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... `ID: 1bL9pWF94fFnBOgE4369ewjYTX0%3D` Attack Vector
Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 380	details Method Lambda at line 380 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... `ID: VE4bITfmQxPB%2B3y%2Bx6nGBmFAEac%3D` Attack Vector
CVE-2025-10890	Npm-electron-36.8.1	details Description: The google chrome version prior to 140.0.7339.207 is vulnerable to Side-channel information leakage in V8. Attack Vector: NETWORK Attack Complexity: HIGH `ID: geWpTJLVUZSyx88k%2FN3Ahe75PN0EDCEbQstvzRPu6DM%3D` Vulnerable Package
CVE-2025-30359	Npm-webpack-dev-server-5.2.0	details Recommended version: 5.2.1 Description: The webpack-dev-server allows users to use webpack with a development server that provides live reloading. The webpack-dev-server users' source cod... Attack Vector: NETWORK Attack Complexity: HIGH `ID: rCTe9qzcOl%2BkqPY%2B%2FKj9lFDCmXCgx%2FRucR3sqiHACzk%3D` Vulnerable Package
CVE-2025-30360	Npm-webpack-dev-server-5.2.0	details Recommended version: 5.2.1 Description: Webpack-dev-server allows users to use webpack with a development server that provides live reloading. Webpack-dev-server users' source code may b... Attack Vector: NETWORK Attack Complexity: LOW `ID: cW9gXYYGEz2nPy4uMON%2B8VdV9CtcAOg%2BMtc7rkEyXYc%3D` Vulnerable Package
CVE-2025-8129	Npm-koa-2.16.1	details Recommended version: 2.16.2 Description: A vulnerability, which was classified as problematic, was found in KoaJS Koa versions through 2.16.1 and versions 3.0.0-alpha0 through 3.0.0. Affec... Attack Vector: NETWORK Attack Complexity: LOW `ID: GtBHOALtzMFF6A%2Bq%2B3K%2BQPTeWLIhh5oWIhyCGpZP9nU%3D` Vulnerable Package
CVE-2025-8583	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Inappropriate implementation in Permissions in Google Chrome through 139.0.7258.65 allowed a remote attacker to perform UI spoofing via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW `ID: ABua4%2FcInOvRwMN0klJN0kjNYfs0qqHFp2mLG8sPYfI%3D` Vulnerable Package
CVE-2025-8881	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in sp... Attack Vector: NETWORK Attack Complexity: LOW `ID: 9mRLU%2Be8%2B2pkEGmQ8PYmc9qLh0tS6IylkE2YLNmHRDI%3D` Vulnerable Package
CVE-2025-9865	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Inappropriate implementation in the Toolbar in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker who convinced a user to en... Attack Vector: NETWORK Attack Complexity: LOW `ID: nixi5%2FgOXwHS9PwQbGcqbctfBxnydXL7YnYsuX4xeKo%3D` Vulnerable Package
CVE-2025-9867	Npm-electron-36.8.1	details Recommended version: 36.9.0 Description: Inappropriate implementation in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a... Attack Vector: NETWORK Attack Complexity: LOW `ID: Pq%2FDoRv7mNdtk3hVyD3HfkIfSZOhe2ACr4TZN0Y5tiM%3D` Vulnerable Package
Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... `ID: ERUIOf8nz7H9qTeJgj9br44RfOU%3D` Attack Vector
Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... `ID: 0J7MONsxfaUSQFRMXNuzAJ0kfRE%3D` Attack Vector
HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... `ID: GaFGH21C7jMu1QpVRaBCDH%2Bd0W8%3D` Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 402	details The application takes sensitive, personal data cipherService, found at line 402 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... `ID: o64ARoZ7cdpmnl3722L1%2FxFMqBE%3D` Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipher, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... `ID: iXKsShFM%2FCUEOt4KkSp0bnEPaDw%3D` Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 77	details The application takes sensitive, personal data password, found at line 77 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... `ID: K18O85ncXOC6lhK6IvYFLyNNBAs%3D` Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 82	details The application takes sensitive, personal data password, found at line 82 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... `ID: epZvajFL2toUgx0153QGpW%2Ff3Ew%3D` Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 387	details The application takes sensitive, personal data cipher, found at line 387 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... `ID: DZdLY3BCsmH5SZot3rMLsW%2F8bzk%3D` Attack Vector
Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 699	details The web-application does not define an HSTS header, leaving it vulnerable to attack. `ID: WuPrsECJ9pM%2BNBowkuhQEthv7LA%3D` Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/libs/node/src/services/node-crypto-function.service.ts: 339	details In toNodeCryptoAesMode, the application protects sensitive data using a cryptographic algorithm, "aes-256-ecb", that is considered weak or even t... `ID: zRwZAdQwKYvJllYvIfg2%2FX%2F5jFE%3D` Attack Vector
Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 30	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/icon/icon.component.ts i... `ID: TuXrvfC3QSiwXA3dynrYMmgyD6Q%3D` Attack Vector
Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.comp... `ID: p3xM9XJ2b8uXntt84Va4Lt%2BAIkY%3D` Attack Vector
Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 78	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... `ID: RmRXHNEUBCsm490STUuSJBvaQVw%3D` Attack Vector
CVE-2025-54798	Npm-tmp-0.0.33	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: LOCAL Attack Complexity: HIGH `ID: APP1GE%2Bh2QgF3C8as%2Fi7Afj2rn%2BlIQxcGagqHpM28u0%3D` Vulnerable Package
CVE-2025-54798	Npm-tmp-0.2.3	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: LOCAL Attack Complexity: HIGH `ID: f9prqK6exKWs8mkup1yZZvdm4Y%2FW7vNiN6ltinUHYfA%3D` Vulnerable Package
CVE-2025-58751	Npm-vite-6.3.5	details Recommended version: 6.3.6 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 62B1LGaNosW1mtUjUagUB%2BcxZpjUL0X3KyFH0GoaPxQ%3D` Vulnerable Package
CVE-2025-58751	Npm-vite-6.2.7	details Recommended version: 6.3.6 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7FwDiygM2jgJw30P0uPjeDD7mMXvyWEl98fq74H4VOA%3D` Vulnerable Package
CVE-2025-58752	Npm-vite-6.2.7	details Recommended version: 6.3.6 Description: Vite is a frontend tooling framework for JavaScript. In Vite versions through 5.4.19, 6.x through 6.3.5, 7.0.x through 7.0.6 and 7.1.x through 7.1.... Attack Vector: NETWORK Attack Complexity: LOW `ID: hryL5bo%2Fp4XUGxO%2FS%2BrJNe7KYGyawagibLHcnIBRIzg%3D` Vulnerable Package
CVE-2025-7339	Npm-on-headers-1.0.2	details Recommended version: 1.1.0 Description: The on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions prior to 1.1.0 may result in r... Attack Vector: LOCAL Attack Complexity: LOW `ID: iohznNY9tXt5d8lAiIV1n%2FHni%2BFr85%2BcTKrPX7s2liI%3D` Vulnerable Package
Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 68	details The application employs an HTML iframe at whose contents are not properly sandboxed `ID: eC9rGjAaHK3DyR9G%2BtM7mnxXkNU%3D` Attack Vector
Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/iframe-content/autofill-inline-menu-iframe.service.ts: 87	details The application employs an HTML iframe at whose contents are not properly sandboxed `ID: mfl0i7Wn6Zj3Z71nx1CQn0bYd3s%3D` Attack Vector
Cx8bc4df28-fcf5	Npm-debug-3.2.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH `ID: KumIjm%2BOsyNtl4Rmv2YUk1lEqA2RTwWpHeo4cXeDkhE%3D` Vulnerable Package
Cx8bc4df28-fcf5	Npm-debug-2.6.9	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH `ID: tXuJlNthPgfslVzROnupCL9VchHf6qKl9At2r4TAYrY%3D` Vulnerable Package
Cxda14f253-4e52	Npm-bluebird-3.7.2	details Description: The package `bluebird` is vulnerable to memory leak, when running the function longStackTraces() with the flag `--expose_gc`. This causes a signifi... Attack Vector: NETWORK Attack Complexity: HIGH `ID: XZp9sVzS91tYGMsuRwBQAp19D95pjTEAWiI67Z2l0WA%3D` Vulnerable Package
Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 699	details A Content Security Policy is not explicitly defined within the web-application. `ID: sSimnlpkrLMkoSF9GEXprQ75N0c%3D` Attack Vector

initial shortcut modal

648981f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

initial shortcut modal #16593

initial shortcut modal #16593

differsthecat commented Sep 25, 2025

Uh oh!

sonarqubecloud bot commented Sep 25, 2025

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

Uh oh!

initial shortcut modal #16593

Are you sure you want to change the base?

initial shortcut modal #16593

Conversation

differsthecat commented Sep 25, 2025

🎟️ Tracking

📔 Objective

📸 Screenshots

⏰ Reminders before review

🦮 Reviewer guidelines

Uh oh!

sonarqubecloud bot commented Sep 25, 2025

Quality Gate passed

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

Uh oh!