Stored_XSS @ /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java

[oscardatastream]

Checkmarx (SAST): Stored_XSS
Security Issue: Read More about Stored_XSS
Checkmarx Project: oscardatastream/slackDatastream
Repository URL: https://github.com/oscardatastream/slackDatastream
Branch: master
Scan ID: c523472e-01c3-4305-b7dd-e80238456bde

---

The method elimniar embeds untrusted data in generated output with mav, at line 76 of /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page.

The attacker would be able to alter the returned web page by saving malicious data in a data-store ahead of time. The attacker's modified data is then read from the database by the listar method with listaAlumnos, at line 26 of /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java. This untrusted data then flows through the code straight to the output web page, without sanitization. 

This can enable a Stored Cross-Site Scripting (XSS) attack.

Result #1:
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. listaAlumnos: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[26,29]
    2. listaAlumnos: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[28,33]
    3. addObject: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[28,16]
    4. mav: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[28,3]
    5. mav: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[29,3]
    6. listar: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[75,9]
    7. mav: /07_SpringMVC/src/main/java/com/curso/java/controladores/AlumnoControlador.java[76,10]
    Review result in Checkmarx One: Stored_XSS