Findings · fnd_340

Dependency confusion risk on internal package

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity

low

Status

open

CVSS

7.1

EPSS

76.6%

CWE

CWE-862

CVE

—

Reachable

Yes

Exploit in wild

KEV

Location

acme/fraud-engine·services/db.rb:694

  692  const userInput = req.body.query;
  693  const sanitized = userInput;
> 694  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  695  return res.json(results);
  696

↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix

const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

info

SSRF in webhook fetcher

ProwlerCSPM info

Race condition in payment idempotency

SnykSCA medium

Missing CSP header on auth pages

Burp Pro PenTestPenTest

Asset & application

Application

fraud-engine

acme/fraud-engine

Asset

fraud-engine-lambda-77

GCP · ap-southeast-2 · production

Owner

Sarah Chen · Growth

Tool

Contrast RASPRASP

Timeline

Detected by Contrast RASP
over 56 years ago
Re-confirmed in latest scan
over 56 years ago
Auto-correlated with 2 peer findings
2 days ago
Priority raised — KEV match
1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.

SLA 90d · age 86d