# appsecco/dvna — Trust Profile

Trust profile for appsecco/dvna. 6 exploitable paths across 6 endpoints.

## Structure

- **Total routes:** 30
- **Public:** 0
- **Protected:** 8
- **Exploitable:** 6
- **Auth coverage:** null%

## Summary

- **Exploitable paths:** 6
- **Confirmed findings:** 12
- **Review findings:** 4

## Attack Paths (6)

### POST /bulkproductslegacy

- **Sink:** serialize.unserialize()
- **Impact:** Remote code execution
- **File:** core/appHandler.js:215

### POST /calc

- **Sink:** mathjs.eval()
- **Impact:** Arbitrary code execution
- **File:** core/appHandler.js:194

### POST /ping

- **Sink:** exec()
- **Impact:** Command execution on server
- **File:** core/appHandler.js:38

### POST /usersearch

- **Sink:** db.sequelize.query()
- **Impact:** Unauthorized database access
- **File:** core/appHandler.js:9

### POST /bulkproducts

- **Sink:** libxmljs.parseXmlString()
- **Impact:** File disclosure, SSRF, or denial of service
- **File:** core/appHandler.js:233

### GET /redirect

- **Sink:** res.redirect()
- **Impact:** Abuse of Redirect control
- **File:** core/appHandler.js:186

## Review Items (2)

- **/resetpw allows sensitive field exposure sink** (2 locations)
- **Predictable Token via MD5 Hash** (2 locations)

## High-Risk Dependencies

- **mathjs@3.10.1**
- **node-serialize@0.0.4**
- **libxmljs@0.19.1**
- **sequelize@4.13.10**