# appsecco/dvna — Trust Profile

Trust profile for appsecco/dvna. 6 exploitable paths across 6 endpoints.

## Structure

- **Total routes:** 30
- **Public:** 0
- **Protected:** 6
- **Exploitable:** 6
- **Auth coverage:** null%

## Summary

- **Exploitable paths:** 6
- **Confirmed findings:** 11
- **Review findings:** 2

## Attack Paths (6)

### POST /bulkproductslegacy

- **Sink:** serialize.unserialize()
- **Impact:** Remote code execution
- **File:** core/appHandler.js:215

### POST /calc

- **Sink:** mathjs.eval()
- **Impact:** Arbitrary code execution
- **File:** core/appHandler.js:194

### POST /ping

- **Sink:** exec()
- **Impact:** Command execution on server
- **File:** core/appHandler.js:38

### POST /usersearch

- **Sink:** db.sequelize.query()
- **Impact:** Unauthorized database access
- **File:** core/appHandler.js:9

### POST /bulkproducts

- **Sink:** libxmljs.parseXmlString()
- **Impact:** File disclosure, SSRF, or denial of service
- **File:** core/appHandler.js:233

### GET /redirect

- **Sink:** res.redirect()
- **Impact:** Abuse of Redirect control
- **File:** core/appHandler.js:186

## Review Items (1)

- **Predictable Token via MD5 Hash** (2 locations)

## High-Risk Dependencies

- **sequelize@4.13.10**
- **libxmljs@0.19.1**
- **mathjs@3.10.1**
- **node-serialize@0.0.4**
- **express@4.16.2**
- **bcrypt@1.0.3**
- **passport@0.4.0**
- **express-fileupload@0.4.0**
- **morgan@1.9.0**
- **ejs@2.5.7**
- **mysql2@1.4.2**