After running Veracode on the Spectrum OneClick system, we see it identified the following two vulnerabilities:
CWE ID 829 = Inclusion of Functionality from Untrusted Control Sphere
CWE ID 693 = Protection Mechanism Failure
Is Spectrum OneClick affected by these vulnerabilities?
Version: Spectrum 22.x and 23.x
Component: Vulnerability
The fix for CWE 829 is already implemented. We are using the built-in Tomcat filters which does not support Content-Security-Policy(CSP) header yet and we may need to create custom filters to add support for CSP, but with the presence of X-Frame-Options and other HSTS headers it should suffice the need for CSP.
The fix for CWE 693 will be included in 23.3.13 when released.