From c22e0735a067f07dbd3c651dbc0a1486e02e0604 Mon Sep 17 00:00:00 2001
From: DefectDojo release bot <dojo-release-bot@users.noreply.github.com>
Date: Mon, 4 Nov 2024 18:06:31 +0000
Subject: [PATCH 01/13] Update versions in application files

---
 components/package.json    | 2 +-
 helm/defectdojo/Chart.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/components/package.json b/components/package.json
index 14dc5baf9d..82cd7446c6 100644
--- a/components/package.json
+++ b/components/package.json
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.40.0",
+  "version": "2.41.0-dev",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
index 3744d4461a..b61326d1b8 100644
--- a/helm/defectdojo/Chart.yaml
+++ b/helm/defectdojo/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.40.0"
+appVersion: "2.41.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.158
+version: 1.6.159-dev
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap

From 5f6098852878dbc31bbcf881a122df290e6f9445 Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 11 Nov 2024 16:55:26 +0100
Subject: [PATCH 02/13] :bug: fix Acunetix date #11206 (#11207)

* :bug: fix Acunetix date #11206

* fix

* ruff

* add unittest
---
 dojo/tools/acunetix/parse_acunetix360_json.py |  4 +-
 dojo/tools/acunetix/parse_acunetix_xml.py     |  2 +-
 unittests/scans/acunetix/issue_11206.json     | 57 +++++++++++++++++++
 unittests/tools/test_acunetix_parser.py       |  9 +++
 4 files changed, 69 insertions(+), 3 deletions(-)
 create mode 100644 unittests/scans/acunetix/issue_11206.json

diff --git a/dojo/tools/acunetix/parse_acunetix360_json.py b/dojo/tools/acunetix/parse_acunetix360_json.py
index 082bf889a6..9d688ebc9a 100644
--- a/dojo/tools/acunetix/parse_acunetix360_json.py
+++ b/dojo/tools/acunetix/parse_acunetix360_json.py
@@ -15,7 +15,7 @@ def get_findings(self, filename, test):
         dupes = {}
         data = json.load(filename)
         dupes = {}
-        scan_date = parser.parse(data["Generated"])
+        scan_date = parser.parse(data["Generated"], dayfirst=True)
         text_maker = html2text.HTML2Text()
         text_maker.body_width = 0
         for item in data["Vulnerabilities"]:
@@ -96,7 +96,7 @@ def get_findings(self, filename, test):
             finding.unsaved_req_resp = [{"req": request, "resp": response}]
             finding.unsaved_endpoints = [Endpoint.from_uri(url)]
             if item.get("FirstSeenDate"):
-                parseddate = parser.parse(item["FirstSeenDate"])
+                parseddate = parser.parse(item["FirstSeenDate"], dayfirst=True)
                 finding.date = parseddate
             if dupe_key in dupes:
                 find = dupes[dupe_key]
diff --git a/dojo/tools/acunetix/parse_acunetix_xml.py b/dojo/tools/acunetix/parse_acunetix_xml.py
index eb1e64d16a..c744903b2e 100644
--- a/dojo/tools/acunetix/parse_acunetix_xml.py
+++ b/dojo/tools/acunetix/parse_acunetix_xml.py
@@ -26,7 +26,7 @@ def get_findings(self, filename, test):
             # get report date
             if scan.findtext("StartTime") and "" != scan.findtext("StartTime"):
                 report_date = dateutil.parser.parse(
-                    scan.findtext("StartTime"),
+                    scan.findtext("StartTime"), dayfirst=True,
                 ).date()
             for item in scan.findall("ReportItems/ReportItem"):
                 finding = Finding(
diff --git a/unittests/scans/acunetix/issue_11206.json b/unittests/scans/acunetix/issue_11206.json
new file mode 100644
index 0000000000..829c2083ae
--- /dev/null
+++ b/unittests/scans/acunetix/issue_11206.json
@@ -0,0 +1,57 @@
+{
+  "Generated": "25/06/2021 09:59 AM",
+  "Target": {
+    "Duration": "00:00:41.3968969",
+    "Initiated": "25/06/2021 09:53 AM",
+    "ScanId": "663eb6e88d9e4f4d9e00ad52017aa66d",
+    "Url": "http://php.testsparker.com/"
+  },
+  "Vulnerabilities": [
+    {
+      "Certainty": 100,
+      "Classification": null,
+      "Confirmed": true,
+      "Description": "<p>Acunetix360 identified a cookie not marked as HTTPOnly.</p>\n<p>HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.</p>",
+      "ExploitationSkills": "",
+      "ExternalReferences": "<div><ul><li><a target='_blank' href='https://www.acunetix.com/security-cookies-whitepaper/#httpOnlyFlag'><i class='icon-external-link'></i>Acunetix - Security Cookies - HTTPOnly Flag</a></li><li><a target='_blank' href='https://wiki.owasp.org/index.php/HttpOnly'><i class='icon-external-link'></i>OWASP HTTPOnly Cookies</a></li><li><a target='_blank' href='https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly%28VS.80%29.aspx'><i class='icon-external-link'></i>MSDN - ASP.NET HTTPOnly Cookies</a></li></ul></div>",
+      "ExtraInformation": [
+        {
+          "Name": "Identified Cookie(s)",
+          "Value": "PHPSESSID"
+        },
+        {
+          "Name": "Cookie Source",
+          "Value": "HTTP Header"
+        },
+        {
+          "Name": "Page Type",
+          "Value": "Login"
+        }
+      ],
+      "FirstSeenDate": "12/06/2021 12:30 PM",
+      "HttpRequest": {
+        "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nReferer: http://php.testsparker.com/auth/\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36\r\nX-Scanner: Acunetix360\r\n\r\n",
+        "Method": "GET",
+        "Parameters": []
+      },
+      "HttpResponse": {
+        "Content": "HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=e52a07f0fe53c0294ae211bc4481332d; path=/\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3061\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT<!-- end #footer -->\n</body>\n</html>\n",
+        "Duration": 41.4849,
+        "StatusCode": 200
+      },
+      "LookupId": "735f4503-e9eb-4b4c-4306-ad49020a4c4b",
+      "Impact": "<div>During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.</div>",
+      "KnownVulnerabilities": [],
+      "LastSeenDate": "25/06/2021 01:52 AM",
+      "Name": "Cookie Not Marked as HttpOnly",
+      "ProofOfConcept": "",
+      "RemedialActions": "<div>\n<ol>\n<li>See the remedy for solution.</li>\n<li>Consider marking all of the cookies used by the application as HTTPOnly. (<em>After these changes javascript code will not be able to read cookies.</em>)</li>\n</ol>\n</div>",
+      "RemedialProcedure": "<div>Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as <a href=\"https://labs.portcullis.co.uk/tools/xss-tunnel/\">XSS Tunnel</a> to bypass HTTPOnly protection.</div>",
+      "RemedyReferences": "",
+      "Severity": "Medium",
+      "State": "Present",
+      "Type": "CookieNotMarkedAsHttpOnly",
+      "Url": "http://php.testsparker.com/auth/login.php"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/unittests/tools/test_acunetix_parser.py b/unittests/tools/test_acunetix_parser.py
index 47969cdeea..fe0deb95e6 100644
--- a/unittests/tools/test_acunetix_parser.py
+++ b/unittests/tools/test_acunetix_parser.py
@@ -335,3 +335,12 @@ def test_parse_file_issue_10435(self):
             parser = AcunetixParser()
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(1, len(findings))
+
+    def test_parse_file_issue_11206(self):
+        with open("unittests/scans/acunetix/issue_11206.json", encoding="utf-8") as testfile:
+            parser = AcunetixParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(1, len(findings))
+            with self.subTest(i=0):
+                finding = findings[0]
+                self.assertEqual(finding.date, date(2021, 6, 12, 12, 30))

From bb883109b51e3c62dc8eb49e193cf99c7b0cbeb9 Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 11 Nov 2024 16:56:27 +0100
Subject: [PATCH 03/13] add TEMP to vulnid (#11180)

* add TEMP to vulnid

* ruff

* sha sum

* sha sum
---
 dojo/settings/.settings.dist.py.sha256sum | 2 +-
 dojo/settings/settings.dist.py            | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum
index 259f13a4c6..593f8b129d 100644
--- a/dojo/settings/.settings.dist.py.sha256sum
+++ b/dojo/settings/.settings.dist.py.sha256sum
@@ -1 +1 @@
-6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8
+60628ca4667641350d3d1854d1a6f863ce2ddeefa4f6e5df83f7e11a700cde0e
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index 9920533272..2c9ff2c7b9 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -1744,6 +1744,7 @@ def saml2_attrib_map_format(dict):
     "ELSA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
     "ELBA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "RXSA": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RXSA-2024:4928
+    "TEMP": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF
 }
 # List of acceptable file types that can be uploaded to a given object via arbitrary file upload
 FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES")

From 7e636fab772942eadb5e1b6a2dd113c1356566e2 Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 11 Nov 2024 16:58:22 +0100
Subject: [PATCH 04/13] datetime.utcfromtimestamp() is scheduled for removal
 (#11208)

* datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal

* ruff
---
 dojo/tools/checkmarx/parser.py        |  2 +-
 dojo/tools/checkmarx_one/parser.py    |  2 +-
 dojo/tools/contrast/parser.py         |  4 +---
 dojo/tools/wpscan/parser.py           |  4 ++--
 unittests/tools/test_wpscan_parser.py | 10 +++++-----
 5 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/dojo/tools/checkmarx/parser.py b/dojo/tools/checkmarx/parser.py
index 0d5607f509..6e832723f9 100644
--- a/dojo/tools/checkmarx/parser.py
+++ b/dojo/tools/checkmarx/parser.py
@@ -368,7 +368,7 @@ def _parse_date(self, value):
         if isinstance(value, str):
             return parser.parse(value).date()
         if isinstance(value, dict) and isinstance(value.get("seconds"), int):
-            return datetime.datetime.utcfromtimestamp(value.get("seconds")).date()
+            return datetime.datetime.fromtimestamp(value.get("seconds"), datetime.UTC).date()
         return None
 
     def _get_findings_json(self, file, test):
diff --git a/dojo/tools/checkmarx_one/parser.py b/dojo/tools/checkmarx_one/parser.py
index f8896c0b27..7a85cd521d 100644
--- a/dojo/tools/checkmarx_one/parser.py
+++ b/dojo/tools/checkmarx_one/parser.py
@@ -22,7 +22,7 @@ def _parse_date(self, value):
         if isinstance(value, str):
             return parser.parse(value)
         if isinstance(value, dict) and isinstance(value.get("seconds"), int):
-            return datetime.datetime.utcfromtimestamp(value.get("seconds"))
+            return datetime.datetime.fromtimestamp(value.get("seconds"), datetime.UTC)
         return None
 
     def _parse_cwe(self, cwe):
diff --git a/dojo/tools/contrast/parser.py b/dojo/tools/contrast/parser.py
index 9367bdcf6d..e72345d33d 100644
--- a/dojo/tools/contrast/parser.py
+++ b/dojo/tools/contrast/parser.py
@@ -41,9 +41,7 @@ def get_findings(self, filename, test):
             severity = row.get("Severity")
             if severity == "Note":
                 severity = "Info"
-            date_raw = datetime.datetime.utcfromtimestamp(
-                int(row.get("First Seen")) / 1000,
-            )
+            date_raw = datetime.datetime.fromtimestamp(int(row.get("First Seen")) / 1000, datetime.UTC)
             finding = Finding(
                 title=title.split(" from")[0],
                 date=date_raw,
diff --git a/dojo/tools/wpscan/parser.py b/dojo/tools/wpscan/parser.py
index 95c0a8c4c2..2ba6b5016b 100644
--- a/dojo/tools/wpscan/parser.py
+++ b/dojo/tools/wpscan/parser.py
@@ -1,6 +1,6 @@
+import datetime
 import hashlib
 import json
-from datetime import datetime
 
 from dojo.models import Endpoint, Finding
 
@@ -89,7 +89,7 @@ def get_findings(self, file, test):
 
         report_date = None
         if "start_time" in tree:
-            report_date = datetime.utcfromtimestamp(tree.get("start_time"))
+            report_date = datetime.datetime.fromtimestamp(tree.get("start_time"), datetime.UTC)
 
         dupes = {}
         # manage plugin findings
diff --git a/unittests/tools/test_wpscan_parser.py b/unittests/tools/test_wpscan_parser.py
index bd71aae294..0b44ee4965 100644
--- a/unittests/tools/test_wpscan_parser.py
+++ b/unittests/tools/test_wpscan_parser.py
@@ -26,7 +26,7 @@ def test_parse_file_exemple(self):
             self.assertIsNone(finding.unique_id_from_tool)  # interesting findings are not vlunerability
             self.assertEqual("Info", finding.severity)  # it is not a vulnerability so severity should be 'Info'
             self.assertEqual("Interesting finding: Headers", finding.title)
-            self.assertEqual(datetime.datetime(2021, 3, 26, 11, 50, 50), finding.date)
+            self.assertEqual(datetime.datetime(2021, 3, 26, 11, 50, 50, tzinfo=datetime.UTC), finding.date)
 
     def test_parse_file_with_no_vuln_has_no_findings(self):
         with open("unittests/scans/wpscan/wordpress_no_vuln.json", encoding="utf-8") as testfile:
@@ -49,7 +49,7 @@ def test_parse_file_with_one_vuln_has_one_findings(self):
             self.assertEqual("8873", finding.unique_id_from_tool)
             self.assertNotEqual("Info", finding.severity)  # it is a vulnerability so not 'Info'
             self.assertEqual("YouTube Embed <= 11.8.1 - Cross-Site Request Forgery (CSRF)", finding.title)
-            self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16), finding.date)
+            self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16, tzinfo=datetime.UTC), finding.date)
 
     def test_parse_file_with_multiple_vuln_has_multiple_finding(self):
         with open("unittests/scans/wpscan/wordpress_many_vuln.json", encoding="utf-8") as testfile:
@@ -63,7 +63,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self):
             self.assertEqual("8873", finding.unique_id_from_tool)
             self.assertNotEqual("Info", finding.severity)  # it is a vulnerability so not 'Info'
             self.assertEqual("YouTube Embed <= 11.8.1 - Cross-Site Request Forgery (CSRF)", finding.title)
-            self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16), finding.date)
+            self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16, tzinfo=datetime.UTC), finding.date)
 
     def test_parse_file_with_multiple_vuln(self):
         with open("unittests/scans/wpscan/wpscan.json", encoding="utf-8") as testfile:
@@ -81,7 +81,7 @@ def test_parse_file_with_multiple_vuln(self):
                 self.assertEqual("Contact Form 7 < 5.3.2 - Unrestricted File Upload", finding.title)
                 self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
                 self.assertEqual("CVE-2020-35489", finding.unsaved_vulnerability_ids[0])
-                self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6), finding.date)
+                self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6, tzinfo=datetime.UTC), finding.date)
                 self.assertEqual("", finding.get_scanner_confidence_text())  # data are => 100%
 
             with self.subTest(i=4):
@@ -89,7 +89,7 @@ def test_parse_file_with_multiple_vuln(self):
                 self.assertIsNone(finding.unique_id_from_tool)  # interesting findings are not vlunerability
                 self.assertEqual("Info", finding.severity)  # it is not a vulnerability so severity should be 'Info'
                 self.assertEqual("Interesting finding: WordPress readme found: http://example/readme.html", finding.title)
-                self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6), finding.date)
+                self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6, tzinfo=datetime.UTC), finding.date)
                 self.assertEqual("", finding.get_scanner_confidence_text())  # data are => "confidence": 100,
 
     def test_parse_file_with_multiple_vuln_in_version(self):

From f092d81f6624eca7c1f51c50224cc5cc4d9e956e Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 11 Nov 2024 16:59:04 +0100
Subject: [PATCH 05/13] datetime.utcnow() is scheduled for removal (#11209)

* datetime.utcnow() is scheduled for removal

* ruff
---
 dojo/tools/awssecurityhub/compliance.py | 8 ++++----
 dojo/tools/awssecurityhub/guardduty.py  | 8 ++++----
 dojo/tools/awssecurityhub/inspector.py  | 8 ++++----
 dojo/tools/dependency_check/parser.py   | 4 ++--
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/dojo/tools/awssecurityhub/compliance.py b/dojo/tools/awssecurityhub/compliance.py
index 5fea1a8a78..1f97da12b7 100644
--- a/dojo/tools/awssecurityhub/compliance.py
+++ b/dojo/tools/awssecurityhub/compliance.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+import datetime
 
 from dojo.models import Finding
 
@@ -31,11 +31,11 @@ def get_item(self, finding: dict, test):
             active = False
             if finding.get("LastObservedAt", None):
                 try:
-                    mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ")
+                    mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ")
                 except Exception:
-                    mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
+                    mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
             else:
-                mitigated = datetime.utcnow()
+                mitigated = datetime.datetime.now(datetime.UTC)
         else:
             mitigated = None
             is_Mitigated = False
diff --git a/dojo/tools/awssecurityhub/guardduty.py b/dojo/tools/awssecurityhub/guardduty.py
index 40b2664950..fbc1346697 100644
--- a/dojo/tools/awssecurityhub/guardduty.py
+++ b/dojo/tools/awssecurityhub/guardduty.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+import datetime
 
 from dojo.models import Endpoint, Finding
 
@@ -25,11 +25,11 @@ def get_item(self, finding: dict, test):
             is_Mitigated = True
             if finding.get("LastObservedAt", None):
                 try:
-                    mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ")
+                    mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ")
                 except Exception:
-                    mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
+                    mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
             else:
-                mitigated = datetime.utcnow()
+                mitigated = datetime.datetime.now(datetime.UTC)
         description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" + "\n"
         description += f"**AWS Finding ARN:** {finding_id}\n"
         if finding.get("SourceUrl"):
diff --git a/dojo/tools/awssecurityhub/inspector.py b/dojo/tools/awssecurityhub/inspector.py
index 61b18be5bf..3b0264bf95 100644
--- a/dojo/tools/awssecurityhub/inspector.py
+++ b/dojo/tools/awssecurityhub/inspector.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+import datetime
 
 from dojo.models import Endpoint, Finding
 
@@ -48,11 +48,11 @@ def get_item(self, finding: dict, test):
             active = False
             if finding.get("LastObservedAt", None):
                 try:
-                    mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ")
+                    mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ")
                 except Exception:
-                    mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
+                    mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
             else:
-                mitigated = datetime.utcnow()
+                mitigated = datetime.datetime.now(datetime.UTC)
         title_suffix = ""
         hosts = []
         for resource in finding.get("Resources", []):
diff --git a/dojo/tools/dependency_check/parser.py b/dojo/tools/dependency_check/parser.py
index 1d4a167429..8f87042b63 100644
--- a/dojo/tools/dependency_check/parser.py
+++ b/dojo/tools/dependency_check/parser.py
@@ -1,7 +1,7 @@
+import datetime
 import hashlib
 import logging
 import re
-from datetime import datetime
 
 import dateutil
 from cpe import CPE
@@ -302,7 +302,7 @@ def get_finding_from_vulnerability(
                 mitigation
                 + f"Update {component_name}:{component_version} to at least the version recommended in the description"
             )
-            mitigated = datetime.utcnow()
+            mitigated = datetime.datetime.now(datetime.UTC)
             is_Mitigated = True
             active = False
             tags.append("suppressed")

From ca96f34937e5eaa30cf88753f62b147d13355838 Mon Sep 17 00:00:00 2001
From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com>
Date: Mon, 11 Nov 2024 11:50:46 -0600
Subject: [PATCH 06/13] FileUpload Base64 extension fix (#11203)

* initial files but likely to change

* improved file extension checks

* remove os import

* Use file url

* not used imports, file url or title
---
 dojo/api_v2/serializers.py                    | 17 ++------------
 dojo/models.py                                | 23 +++++++++++++++++++
 dojo/tools/generic/json_parser.py             | 11 ++++++++-
 .../scans/generic/test_with_image_no_ext.json | 16 +++++++++++++
 4 files changed, 51 insertions(+), 16 deletions(-)
 create mode 100644 unittests/scans/generic/test_with_image_no_ext.json

diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
index 2680e8f1ad..6e100f43b5 100644
--- a/dojo/api_v2/serializers.py
+++ b/dojo/api_v2/serializers.py
@@ -1,6 +1,5 @@
 import json
 import logging
-import os
 import re
 from datetime import datetime
 
@@ -803,20 +802,8 @@ class Meta:
 
     def validate(self, data):
         if file := data.get("file"):
-            ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
-            valid_extensions = settings.FILE_UPLOAD_TYPES
-            if ext.lower() not in valid_extensions:
-                if accepted_extensions := f"{', '.join(valid_extensions)}":
-                    msg = (
-                        "Unsupported extension. Supported extensions are as "
-                        f"follows: {accepted_extensions}"
-                    )
-                else:
-                    msg = (
-                        "File uploads are prohibited due to the list of acceptable "
-                        "file extensions being empty"
-                    )
-                raise ValidationError(msg)
+            # the clean will validate the file extensions and raise a Validation error if the extensions are not accepted
+            FileUpload(title=file.name, file=file).clean()
             return data
         return None
 
diff --git a/dojo/models.py b/dojo/models.py
index dba8f45c44..117b8d0ebe 100644
--- a/dojo/models.py
+++ b/dojo/models.py
@@ -6,6 +6,7 @@
 import re
 import warnings
 from datetime import datetime
+from pathlib import Path
 from uuid import uuid4
 
 import hyperlink
@@ -741,6 +742,28 @@ def get_accessible_url(self, obj, obj_id):
 
         return f"access_file/{self.id}/{obj_id}/{obj_type}"
 
+    def clean(self):
+        if not self.title:
+            self.title = "<No Title>"
+
+        valid_extensions = settings.FILE_UPLOAD_TYPES
+
+        # why does this not work with self.file....
+        if self.file:
+            file_name = self.file.url
+        else:
+            file_name = self.title
+        if Path(file_name).suffix.lower() not in valid_extensions:
+            if accepted_extensions := f"{', '.join(valid_extensions)}":
+                msg = (
+                    _("Unsupported extension. Supported extensions are as follows: %s") % accepted_extensions
+                )
+            else:
+                msg = (
+                    _("File uploads are prohibited due to the list of acceptable file extensions being empty")
+                )
+            raise ValidationError(msg)
+
 
 class Product_Type(models.Model):
 
diff --git a/dojo/tools/generic/json_parser.py b/dojo/tools/generic/json_parser.py
index 296209f3d2..0a09a9deda 100644
--- a/dojo/tools/generic/json_parser.py
+++ b/dojo/tools/generic/json_parser.py
@@ -1,4 +1,8 @@
-from dojo.models import Endpoint, Finding
+import base64
+
+from django.core.files.base import ContentFile
+
+from dojo.models import Endpoint, FileUpload, Finding
 from dojo.tools.parser_test import ParserTest
 
 
@@ -103,6 +107,11 @@ def _get_test_json(self, data):
                         endpoint = Endpoint(**endpoint_item)
                     finding.unsaved_endpoints.append(endpoint)
             if unsaved_files:
+                for unsaved_file in unsaved_files:
+                    data = base64.b64decode(unsaved_file.get("data"))
+                    title = unsaved_file.get("title", "<No title>")
+                    FileUpload(title=title, file=ContentFile(data)).clean()
+
                 finding.unsaved_files = unsaved_files
             if finding.cve:
                 finding.unsaved_vulnerability_ids = [finding.cve]
diff --git a/unittests/scans/generic/test_with_image_no_ext.json b/unittests/scans/generic/test_with_image_no_ext.json
new file mode 100644
index 0000000000..50051651e7
--- /dev/null
+++ b/unittests/scans/generic/test_with_image_no_ext.json
@@ -0,0 +1,16 @@
+{
+    "title": "My wonderful report",
+    "findings": [
+        {
+            "title": "Vuln with image and no extension",
+            "description": "Some very long description",
+            "severity": "Medium",
+            "files": [
+                {
+                    "title": "testcat",
+                    "data": "iVBORw0KGgoAAAANSUhEUgAAALIAAAC5CAYAAACMTWWrAAABY2lDQ1BJQ0MgUHJvZmlsZQAAKJFtkL1Lw1AUxU80paIOHVyUDh0Vo0gNLuJHLFKVDiG2+LGlaWyFtj6SiOisi5OTODlKh24OXes/4FBFwU0U1FnIojXe16ht1Qf3nd873Pdyc4COkM5YXgRQKDqWFp+LrK6tR4LPENGPILowqRs2U1Q1QS341vbl3kDgejXC35KE2uXh0lPgRZopnX7IR3/721Z3xrQN0neqCYNZDiDIxOqOwzjvE/dZNBTxCeesz2XOaZ+rjZ6kFiO+Jg4ZOT1D/EgspVv8bAsX8tvG1wx8+l6zmFomHaAKI4E4IkiRJqFBodM87RqGKaf/78mNezFsgWEXFjaRRQ4OvaKQw5CHSbyIIgyMQiKOYoxK5nn/zrHpHZwD01P0qXDTW9gDyg/0C7NNb7BEEdwDFzWmW/pPuoIr2hvjUZ97KkDg2PNeV4DgEFC/9by3iufVz4DOO6DqfgLgq2U8ouVgHQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAAAsqADAAQAAAABAAAAuQAAAABBU0NJSQAAAFNjcmVlbnNob3RsSk43AAAB1mlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNi4wLjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4xODU8L2V4aWY6UGl4ZWxZRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpQaXhlbFhEaW1lbnNpb24+MTc4PC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6VXNlckNvbW1lbnQ+U2NyZWVuc2hvdDwvZXhpZjpVc2VyQ29tbWVudD4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+CsfROKoAAEAASURBVHgB7L1Zl2TXded3MnKIzMh5Hqsqa67CRBAECJKiREkkJTZblpe9evnBXn6xl7+FHvwF/OA3fwa7e3X3kpa62WqJsyiyCREzUIUac57HyIyMyIgM/377ZhSyMJECKkDZzQtkRWYMN+49Z5+9//u/h9NSKpXq6Z941Ouf/JFHr7Z83Il5x6M3Nd7z+Jtb+LOF/353PJkRqDPgJ2cGvTG2jcf4FueEn8dG/cxUtbSc8GI1u6DH5s/JyvFZH/30Y2fI3t/49xNearzl0zy2fZoP/frPtGRD9mhQvOs6t/f+3X/wfhzoxgD4zt8dT3YEspF/f/yz0XZGHO2PGG/e8Ojdj37huXot1avVVK2epJOTE+Q2l1rbWvnpSC2tradzmJ39yd7BJ5+tSYL84S91yDJBPh2Vx7S6Q3k6mLGiEenPfyw+fNH/v3pGkX1fIh3tbIjf/+3s7T56Z+MXHutOSu041cqVdFQup1q1hiJuTfnOrtSqRs7x82ji/OAHFsgH/jz7fZ/196YJsrdxUqunVu6tWimnfJ6vqp+ko8MDbjzPi5qp0ztzEPxR1PnMca0Wv7e2tadWVnnL6fuENP74d+O5zzoA/7V8/oSxr9arzEcu+Z9iHCLM8/6Wi7FHw/JbnbmI1xwcBZj58Kd0uJ2ODrZSuXKcygjzQamUSqWj1NHRmaZnZtLo9EzMcf0EGMP8trZ3cIKWdHxcTW1tbcjDScohEI1p9/RP6miOID82Ctwb5ujk+CSVS4dpfW0l5dvb0tDQIAvYAeXGFNZWLqWFRwaOoYzV/XHC2hDo7PNPaij+aziP6iU7MhWCECPILYFtTwVMwQY6KHQnCiQCXOXvWvU4bawupeLuOjrH97aEEG/t7jtbKccJOzs7U8/AUAj/CZ9pbW+PL6vVMkGuCUV448fN6+mlfaqHpghyCKMjxc2eYIo6ENTSwV5amn+YlpcWUqVcSv29vamN1dnZ3ZMGBgZTb/8AWrsQN9/GSm4Itis7w2LoitMBbDz3O0H+zec8x1y0tbShHx+BODVMpjiYqxYmrYKGbeV98Z/PndRQPgdpb2cn7e3vp8O9zVSrlDLFw/sqFRw/hFSB3+U9K0tL6XKhO7V05J36R0dDcBuPj154gr80RZC9vpBjBur4+Biz0pK211fTvTu30+b6Wjoo7qZ8R1tqA18pwBMTU2lkbCx19/SmQvz0p5TPTFxNs8Z5FNqG4DZzQJ7g2P6zOpXCiR59dE3hr2j4YqJ4OoRa503lo3DW0rFYuLiX9hHg3a1tBPsYQdeyHqXSURmcXElVhLgNR+8Ia7u7A/QoH6UuNHPOE6PdtbIuIg/P3ay5a54ga2+8EQeFX1fQxEsLcwxCMR0fHaUKqKKO+drf200H+3tpY2Mt9fcPpmEEemJyOnUPjKR6u9BDlJGZMgW6cTSEuvH37x5/kxFQoETEjKOC2/iI88Rz7YWOdHJwmLaZiz3mpYJQ1oAIx/g4OWg3yAnmEz8F5VJDQSUew8nj8/o+O2BrH7tQTgpsXSiBNc7mz3l89I2Nb35ij80R5FOByyHC3nvl6BAhnk9721upFbyc7wBqFIupxqqvHJUQ7lLa2d5OPX39aR+hLh+W0ti5k9Q7OoUj0cEAcpmMQQMb+9islf3ERvaf24lCdhHYGLvMYnqJYmRUcPbD73u7m2lzYzXt7+4iiApvhp3bcjAUp0LchpD2dHWlVGhBruvpEM1cPDhIFYRbzeyiYILSCaxGa2t74GK/K9PI/vbkj+YIMjcS2tNB4/eD/d20srKMqTrCcz5OhXxvGh0dTAVom458HoEGb3HT+LTpsLifHj58kA6AX6Ms+h6wdE9PD/g5HwyGQxCrnXP/7vjNR8DhkhEKnahmjF8QYjWu83J8BCOxn7a3NxHmbaxmiTFvh2FSkTCLtdZUP67H/IWgClRgIsoI7yFQQ6ewpfUkHMC4KqxoDU3eqgwg1H6mmcqnKYIcl41ZqePpsi5TcW8PjbsFxqpC4eynLiBDSz2fBhDQ4YFebE5rKkuwMziMDvRbHadwKS1s7MFuDKXx8fH46e/vDw3tQJ2FGTFwv/vnE0dAB1x2IsOrmWA5hlUEsQQcOGJeHty/m3Z2NlMRx8156+vDcav3oWyg0ZjPfCvYt6M9c76Fewhy5RiczGLwaANGCEMyQecMfOaRAMfC8V3NOZoiyOEKt6hhddSO8Xq3AkrkwRnHpUoqdxymsSFYCgcFnFwpM5j8wDqjddv4TEsqbu+n4vFyqu1D05WLqQuM1tVWS22ph8HUK3Zksp/Q+6Gg+Tv7P0bLV7NBjV/+Gf+TXeknX6BC8cHjzOceWajGc43HxmdQLMyJ1FnKYTFRKqhiNO8OgrvBHG2mteW5EODe7nzq7u5Kvb19qVDoxGLWEfYSCgbMi/V0TNvbcqm9I8cpuK5aGXoVrYwDH+PttTg/Of4GN3vl2dU4Ux+8rsb1fbbH5glyG2LJ/RwUD9PD+/dS5fAwMNRQf3dq5+aGB4cg1stprXgQN5vqOf6uMLAMMILciUkbHUIbdHKDB+vpYCOXtlMpHTG4Q2MTIcx1POLQ4iwA4YnDxOiFJ441jEPN8vEHb/q14xor5ONP8aleOful/B5CePa5D5xUdRr30biW0/fK/54eBiHiPAYzYpH7wvuvy0LUUCptCHIdSrSO4JUPdtMOLNI8mlgfpr+vJw0NDqRCdy9zVU1lnXIe2/Ndqa2zm/lEcKtlmIrjlDvW0aum3MlRak+wGf7AaHR1dQYPDZWR8t3dcdXCRgVf5z/n9Z25rsb1f9bHpgiyUaQTVnzOR+kzTIz8ZHdPIY0Mgo0LeTTALnDiOFV43ahPf+9AGgZG1Kti6sO0isOxtrKQOgqF1E/wpFKR8jlIndBz2zgiM7MXUwt8M2PEom9PnV09DE+Ov+sSJeC1logqnp3Mjx6s9yf7w683BKfx+OF3/GbPfNJ3cAZf/oxfEZqWBSFccLxDIzYEhnPjs8UXCSNqCHErUT5ZCfGwP0eM7eTYIEIuS8HrbXkgBQqCz+aADD09famzpT2V2w7TIeJZrRwCS8rECFRKfakNp7yGYyd0cSGFlTy9rVin8e1eQ3OOpgiy3HGZwejFWegAPnSySg01yz7o2abDkzSIcE4N9KV8VyFTSAx6Wyv0D4LcAS959dolXmtNy2vraRetvQWrsb27h2B3p97hoTQ2MQ7VDFZBK7ViKhsGzInIsGB2a5mW/vjB+/Xa4TNKWEOYHj2evRYl+FTIf42sa2kel3Y+0PjM2UtEiE9CchgTBCoEmr+PETo1qRq5DK69d+9Ounf73bSzuZ56uzrS9OQUwgxvzE83yqFvsCt1IZzGPAxQdWIa2xnrOnN4jOIp7ZfT5t5OpB/U0LLHzkNXe8QGvLDGpXm3GT7PLuXs8772pI6mCLIXF5zhKW/oCq0Qn6+iJY95bGcVa7bq9V6wWCGSTtRIskDVSi0EeQctsbuwE15xncEXaoi5qtB3UndzMBvnZy8SQOnH9PGaWoJFQpA7Bj4bSbTTZx6pJzH0nuOznOfs58/e0dnfEXO1MVZQzZBjrA0HZ4KcGPP2gHRHjN3iwmJ6951baXl+TlDGEulKua2Url29jN/SkbqABJ35bqwlEbv9AyzkQSpiJfs6C6mAkumAUNaxO0DByEaVmNNONPbYVJ7nWXAIdtyvhoFfva64Ay/3swzDJ8xlUwRZ7re9gysGi5HvDLcItXN4lIaBFsNgsHMzU+n6jStpfXMrzc8vpKL0DZgrUgMZPHEU/jSDCc5Cm5+wELqg6uQrN4kwHZTX0sO5+fTil19Oly5dTmOTM8AJPsFn1fB8MT+NUfssI+dnG+f5hFH8tS95ns9yHdlV+DWP67rTL1blISzgArSx0TkFyH+8dn2Ekwg6rSwvpTXyJTZWV4AftTQJG9SONevqxGqiDLa2d9LgwEDqxOp5ugJj2TcwzHlaUBIEPfYJZh0c8Wcu9QLxxkdH4rz7+DAlAilVBNpoLVosrjS+2kvESrTUed4La9LRFEHOrpUh57pbMUN9/acUDi8cI7AdJA39p7/5OwQUEwalNsyAtLfnCXHKY+6ChRFszGD9pBUhPwit0IEgC/T0nAd7+9MBIdJXX/kl2vkA7V5Gs/eA6boi2FJvQUND55G4EVr848buI4XisTcrCA6+j5/28PP+/FOOD37f+59vXFF2Np9XUHkWITY5y0X8PqMDU4GVOoITlvY82N9Ji2hhg0/dwD4yByKQcVxuTZ2jw+nChQsEOlAECGoRlqK8V4w8Y/XpYamc2vmqHAqjdlxKnXx4kAje5PhYOgSO7KOoDgmGmF332NqPdZRh95Djx28gu40n8G9TBDmcPageQ5MFnLWx0dGgc8yb2NoicrTZn65eupTagQstZEhV4CF3yaIq4Xz09fXFALXBejALCG41hFanowxgK6LhkfDUDz20trEViUi6FlPTpBEOj6QKC79dqgMhjiwtCLuPPxzVX3f8Ju/5def4da9/8Dv8++xz3NSZw1cy0W68p/F+tbGS4xAZRma8yJUwoWd5cSG99eZb6cGDexFJnT03nZ57+kaamniWbESCHbz/8KBEpPVYBYpmV57bEEwcdcZSAc+hHGonZa4MqIh1PEagTTPoxAIfoaD8UAhyXAFXyN91pDe7Vi+Kn0d/xJue2D+fNMuf+ks0PdQN8Hm54RRBDOFCJKNwY3l44ENW/ADsRT+Cq8c7MUG4E2k9gmcuomVzDKCOm/SPXngRs7aP+drlscxz586fS5NokQM0xQY4rY8F0wcMaUEr5QmfdvYNMmh8u5jx4w5VhDb0444Y9CaNfHxn47t9bPzuCx/822vQXH/waLyPR+6VIYbn5T3cs2yRTMQ+vsb21gaQYpnnq+mlL34hcKy5Eo6rWFfnepfcCtMw5fTboMq6wcnt7V3BISvU8vsdzGmuBwh3VESrr6cdzmtWnJfbw/v7gBvOc1z+6bBluJ038H+zhNhRaYoge82IYaxW8ynyDFAnIeY2oEJ/AU6Sm3XQZBSDq0Qjt7DqXelHwIod2IlD0j5PWP1taOxeIoDjmLBhBF3BLlGdYDTpEO1sAsvi3Fx644030nf+9E9AFCfpxvXrKc/3eE75TDWThzSSfKpjrLbWQjhBx/DXHeYOIAA6MJ0k/ptLWwG767HncG7CYUHwjVZVOV8j4b8xUXEtvNY/0B/vUWPJ1ojd1WhZKipmme+UbtR3yOukcjHSYM50Owu6FWzLyPF+coB5bweL3sd6nWxBPicjsU+ktJtAhQJXJDelgGXLES2tQK3JEpVIzDJ/eBEtvDA/D6w4TAd8pp3rr3Gv3ptOmcK+A5Srwx93o3H3UBJ8taPDvFT4XghNxscV4ntL0m1wyW1Aw4LKgusPJXNQTHUWwwhz3EHil88Ffw9edvk518q3UtGsoymC7Gj4n8xFG1UeXdy0PydgNTWAGK4d4fDRXNZ2brizKx+QoBtHowDeLRZ3SCAiAwvNYQaVzp6QwXMeMDE6Jr53bWMdByOl8ZHh9IMffD999atfSX/1V3+Zfv8bf5Amzl1JuTzYGWFsY4LxKIlEwWwwie0MLqkBPAX2IyJV53Ef7dLb18tEYGb3DjNLEhPAAuLaFTQ1Tlw716FANwSzgPA3QrL8gtlVkM0PQVJZIDX+bsOEa5WQ1nisVfUjsiiZzpl+gXjTz5jjoFCJbWsnLvxu/kYQqxW+P2G59slDIcqJcCgkYuEOnOOinDBY9YiFcuvtt2JhVgg8ba1vAOcuQrNNMgdtQLltvg84wHcIJ3ZLCDonLoF1j1kEneSG9+v4dbUFxt7bcSHA9+uLEOmqItg5FpZCKnxszXeSV95H2BpLfNbKcftMc9OPpgiyi9ofBTXS+OJOWiDeEUwwWwFHY6+IxuSmFajufhKD+gZSV8FSnLYY0KHh4TQ0MhTa01EoQgFtgq8PgCTWipleOECYu6+QCeoutNIo7zdrqxtNeO/eXTRIHYruOlobATmohReuo6nzY0Zel7jPBaUgMKmF0JDYBVaGi6MKF66gtSLAZd7vc7pTOT1zooouDCshDPmquQ2tI6F8H0LbgDUMhBrqBOGAA4sgEW/AnMubq+xgaBB0v8fT1vAtKlgcQjuxSBTKvn6YA2Cao9redsJpWoNF2NteC8VQKmI5GOMKSe9ez4O7d9Obb73J29H+nHQTLp6TYWGAZiQFmYDlglL3H/NdBqsU7tIheRLcQ7t8Pte8t4ffAtTrYL4GsDRt3HOe19qI6FWPsVL8d8QCdU7kmI8jOqXkcqmnPz48mkR/b9LRFEH2WhvCbI2WTp9aUMig5lOYJifHQ2AUjE7wlabLELXOhVr8kND2IRjPDLk+NE93TzdaDo2KU7FFovceHrVmd2FxieDKAJFBBBqBe+3111gQhbRLJtfK2jZJMIdQdBfTIEGU4zKafF3IcpIGiDC2IIBeT518gSO0VifftTY/l0ahpSq8V61mpcrQyEhg7xYEThiiZlakJQnb0Z7WJJa51hqOTzvXHpYGQSkZMOA5Az3mKrTxfWpHAzisxAhQ6BwdskhcKB1CBBbLPs7ZLt9lLkoV4TB4dIh/4HX3sOj9PqHN3MO76TL3Jmzogdo85npfffVXYFeS4Dn/6uoatXUEptCikwSQuoFb0mTCsUHYogLjLrTSSubRqPouJsxr8WSCVKyRj8x9Cs/Mnjvi/QUifs5vC3PKzbKQtSD5sGYKbegtX+fHte3jo+OxPx49+5l/aaogx9Vx410M4BBm6h63ZCGiGsqJyWHSZS00z5ozw9W8xERD3jOplphvM0mGpDsQkDxab3pqOs0QhToADxbRwtevXomBbGfShRkX8MYLYOojBG4HaKJTsjCXS1ski4/Cnmg+D4UmTHQP1J5YWwy/gemtKlz8fYL53kD7t3NtRa6zhoa1yLIK7HAxqdGcLT12F2oZrWZOiRpKXyB7rhJBIC1MAQi0t1tkvsHg4MkjLEaFBSSOVnCLh8W0sDAfkGVicozroFKZa9E3sFq5hcVdCZ6dMSr3hUUS4+6T6JOrz3CdLWjdtfSPr7ySlljYXVzDIE70Ljz94f5xGp7uZ/z7Ax5FoIpB9tpdKL0EMkwK0vleXd0ImCBU6ObHAtOGPyCEUJBdTLJSHioOq0Ece4X5LKJQehVif/zdh2YeTRLk7LKdWM222WpDaMB2MJUGskHR+LcD1AWWVLvqHRsUUaOp3eSM+T+0Uumwwqjso6Hz0D06QFmtWAGh2AQvi293MYW9aO4x2IyNrR2+He3IoJuaWCrpSNUDV/vZIzK2KmhRnSdDuTqZK6uraYwKlYW5hzFZeuSrGxsIL1QTC03zav60jpGLTy2us6fDqoA7sUW0mwvVv4VAvRQLGAkrgWmrxz0I8l5oewXZIgLN+87uTnr33bdjtk9ObpK6qsNYS/tFHFoWiJ9xLBWYCpmA8re7Rtr61LD7Qc6YDG9hb4+4nEFfJ+hhOPo8mLgDeFFUGQBt2lEObQhdfD9WzfyUrq7uGBdhhMLYWKy95IJ7f5Y8eY/OTYSxD3dIFiJCCzzqIjIrNm4Fw7czNyGxp1IbgnxGepspzE0S5OzqFUYZCh0Z6RwhhivawREy9KDhzDHuIvSp9jvh9YjnMwK2BECkA2Pn0eqy8RUGc2/vIC3tLyMExTQyMhjC08d51MY7CDQ6I5Xn0HQwBa05+E20b4nqhQK8c4WJET936W0rgGhtBXh9fZ1zjaQ8C8vwtxrWc/7yl++mLZwcTbJwRWyq0Je5JwVbmHGECVbDK8SsWYRODU62F/ejdtc5LBju5XvC3HD/SHoIm4uMl/m+Ejnb4FHgxQoJOH295qbk0LKbXCOtFBAQnV6vSWxdKR8EpOkHTkitKX3WQnYDDwzTK0BlnDave2pC5470WL5Hza2WNVNOTbuyspIezC2kQZTM+XPnSdvsQYgzq1SHMbKdQxuL0HkT7vGpuO8tEr4sQi0QEdT5VD87poVu2ImG4J4R5sZTPj56/eyTT+D3pgmyGsTy7zpCrBdjoEPtWUEDq9FM1g6zhKmvMhiVQ9AyZli658SZwLEQYpxALSggnI1/dYzQYadaWpwsvSeEmJicILTahQZdJ+BChQPasJs8jL6+FoQMqMKEyAaYh3tMPofCptDJT29vUh2MYGo1timgHBkeAWqskmh+P62zOMbGRtOF2Qu8h9RGHCajiX5emi4rou0G32IlEALpMPFjv2VbcLObQBZZ9S3M/CjMio6cGlrLUj2GiUFLFveolIE+m59fS29hKQZIdR0fH00ba6sIdwl8D6WFuGzzWl9vV3rrrTfSF597LpKo9CktKcKGcZ1D4GfoyPmFNDE2gt/Qx71SkQNMGyS6Wgb3aw2z8qNWLIopBKTXwuSobYNdIjoaVTv87fhoMQqMq9q5j+ir1F2t5sLLnEutygFMS//IGAuCVgBK6qm0Og4ePp4+FX8345+mCLIXjQOeCSRx6BZSAgtDw6mD0HIPwnCMJOoktYIF62DdahkfXdWko8RgRVTOqQMCtCAwvlRnsk6qsAipgrlGm6O11FZbOEarC6uEuYfBwARIOJ/4e5EAwBhCP4WAD8NmjKJx5WEPobPUSEIRK34zM0qW3RIYFVpJQa+Rc3vv7nshiMdoy7m5+2lmehyHDQ160gWmPQiBqNegCtHUvT0EDrA+LXy+v7cQ+SN5NScaVpqwr7eb8y+zmE6CCqxVCsExR3HnMRaL8RBb5zH76ysb6f7dh2SeCRvgyznv0txSmp09B0lClBPI9N5b76YvXL+Z9nHqZqanA7+PjoymPpy6MkJpbkvcLwpkBYdvG21fRGALwA5xt52BDD4NINQ6uCZ0ucBO0ObVDlI4GXAxeAfjZdi7eLiHqdmPdM1BFEeNe5Oy3OHamR6UVQfM00jqG59m7vB7oOm0rhivOHxQGT0m5fH3k/unKYLsRdtBIdKtuVHpnPYeYABayp4W60zGOCb0BB9B79/lapI8UQkECT6Vq4JgChxm6YyRPEcljyYzO0tPXo3rAmFppN6BbjAxTt3SYkCEQbCsh1lxoyPkcgwPYGY7QmhbiG6JPw+ZHM2smlVWZJ+FtQfLIMZeJbHmCCE0maavfyzw5j6aWqig+dUxkm/uITJpbm9xF3hxGuDIMfHSb7IYBdIac4k8E+5zc32FhbAX+FbndxgWRQx+xLm8txYWl06amHgdp2u+azG0ZB+L/yFh5Y5Ziw1IeUXohFryxusIqTkl8u5ChfaBDq7tKD319M1gIbRYQ1jFTaxBiXEssOBKCisDLrdubkpHewZHhHydKBEtzhGKIDhmxrtDzpHXdnUs9ztTLxaklVSBdsailcXQQo6ywafOviE4e0qjmJNMjWVSrCzEb6Ges+eyJ5yhJ3c0RZCzyzNP2NgdB0IqHp6dvZje2d5AaBEaJrEDb9yQsn8fIcA1tEkdcr7OYFh9YOWugiaOFc+qUaWLDjC3e0y4bIMJRmqUgUHr+WAZwLjnCV8/99yzaX5xES2Y3aKsgxjavGYFV4yuuZdq8tCDD+iAcHvdshv9Az3BFhwDfeah5cwFQeRYFAWEbBSh7KUZiWzJWgid93r/wcN0+fJscNZBl/Feo5wVrt9o3jZadBSzr0MrjFlZXg2I4n1KJfrYlZ/FcUULMvniUxePYfsKQjSATzF74TyfW0l379xLv/rV6+m5Z5/lfBmOFR4M0fBG8dFKeL+t3IsOsM6e5zU62trbzjWeLu4a2hft7QKzmc4w36FAb+E7nMDFG8GTxtskNF0DErVyT1GmRiac8LGAs9iHA6o29mhAivjjI5949MoT+6X1L/7iL/73J3a20xNFrR6aVkfH/yT91U2tmO07t97FESGUyj0fEBwxFKqAivJ2Ec5DTFwezSP2tFJBrenRjgZRiCrAjcioA7MpDP7uxJgwZMW1pv4CEz1IuihvCC26SeGrnvc6WHgJAZA+U+g3tzJBlpWQZtOkSolNTKCFwdpqLSfFazAosAcPvrGxmc5fmEkzM1Ohaiy+3MUh1MkydLtE0awcrS3BFHwF8Q4Ct4OD5PXvginNL1kHOx+j1VahzXZgFGRExOs6VTdvXmOx9Ybm93O94OJRHNtVWBX/nhyfSL967XWuB8aCe3SRBiXItbYikMIFLYT+g98pbHFBS/N14hB6TXsseJ22yAtHGLU2Kytrgdmz/AtoQ4RW+FNE6fTiWFoRbXW1lTkK7TZjtkeuS//waDo3ewllZWRPp/CRHubbY5j498xxqpjPPPOZf22ORg5nTY0sUmaFMgAtrOrpczOBz3YZOKNBpgIWOslDRjjrOHodOBI5hNiCR+QMc8vfaAjhRAGax4ia5eeNJof7aCnsNQnhV9Buu2lscJwJqUX7AJ1NnTTzlpfAp16LC0YPf2FhibKqQc6rKdXrNx+AKgic0UXeG84Vz924cY2LyKWf/fwXAVm2gUTiaoXi3Mx0MBVaC+k2NekQzs4hAmLAROwdXC/CecDPKkLyne98O/38F7/gOqS88rEowhdGU8qGuIAM/Sqcsh4jwI9deoB4nQqnWtc2VfcfzoUjtsf9n2NM5+YWCZrw3Qh0ZyfMDtegBHUCHcbGCtB4pMeyaP0ONbYvmhpwUEXY0dp1Mg2NcI7gVOocPlybAx4BoxgPI5JekwujDZ+myv0enlARTwjbShOvU5hVQNBVHL+toykaWWIzuyf1ATfHROvQOJD3b7+TdtB2x2DQCbDrCI6YQsc7aJ/VD96lPo9EmxLBClkGmQ1bl0o/SfN4YvniNcyenK+02MzMTBojqUjNpObWRK+jOcWNOoQ6d2riZegmtY2TKH3npcnNqhnlZp0QUxIVGB2d6anJgDTv3n4vPX3zZgjuAFpnDMdKoVWLuUBGRobje51GF+MkDqbZZH6v2tyF6mp56UsvxEJSI+t0bQEzvD/DwzqpasvLF2fjNcfvPEIq02NUsIwm9DrPca+3br2Xrl27yj1uZHnYfKeskFbA9zxE0H1U+P0eLRWTgJBWAtJJHfbhr9hqwet14cjNu2CEV71ADO9lY3ODeavj5A3yPEKMf2PN3xbY+5D5qAEZuzjPzIWL5LVcQAmxSHjut6GRmyLITkJ2aJj5g8FQmGUESuBCHR8HRcoJWY2BNBSsoJowb22egozeCO0mzRXalBObHzELFfbUzRtopVIIqH0vxMnTePAKupBG/lMtrTbeR0MpvA8fzkfesxO+DdthpGqWZHIdm1G0t6Hc6RlZgBIa2/yGLPFfiyCEUbOJOS9fupSuXr4YQmikTCEQm7/x5puxsMSxB3DX4mVpK3nmC+fPw6qMpIsXL8SilFkQUoyBl7U6LqARcOws7xshz0TKawiNXGE8+vpJDgIOKGQTwIp4P+MwgBB5XdPTMwELVBobwKdXX3+TBYRzxzkCMyOwfnYFOk/LoYXU11AJKOgRjEIze73Sbf4IOaQS9SN2mDMXgs6257G0SdDSxueHGfsJOOgex4tzmsP8sYJ8Kg589IkfTYEWDoURMzWWoWUnwXswxn8DzTZ39920XjO4sROmeAgGowul4aQdkRGWcPZG6EQ0OEhlNELpOrBhnsJXQTOMFydwqC7hnT9F88NRNO0qgjgeDpA4TVNo3rL41clZJwH/xrUr6TpabENcDBa3mFLBMpBxcXYWjDoYyf9rq+to4SoaN8OS8/PzaOqe9Nprb6S79x6E8F27cjktLy/HPXlvYmMx9SKWQMFYhD1Ry23xXXLSZu4JQRRwv8/cXb9nhet2gfbhNCroOqA6iB4GQbQwnmcGQTWpqMq9b3Ivly5e5P72AyObASiGVXvOea04hloy80T8Tj+zDiduApCWoIecYefCc7uAC139lDcBhRjfKyzQPYT21jvvkudN75FRqj9YDMISnToLIOxOb6pqhTlu43oHsEz+jfYIP6E9WIu4hcf/8UubeDRFI3OPlJFnfXU1m2pI1HE6AV92og035x5EumE9ssesuIYG4ya7mBThhVrXzxsM0KxKd5lnbBRQcyj19uDBXFoELqhJh9AGVlULzcXe++QzvPPO7YAfQokeNK2LwOShl198kW9qOe1eNBbCpdetIzWMJrx39368T1giq7CI8ybW9To05fLSQgk1lpE223k50QqKAElL4OHr/u79K6wuBpkHnUy53x/86MehPT2/jMDEBHw3Y2NqpvhZrBolSpzn3v0HMUbPvfACHPN9BHYxfftPv53+n3/9b7FOs5kDeu5cus/7XFSyFkWswABBkIsXZwNm2AhngiCLc2PCUaRe8qjm1sntIxfGmjvpzmEYoCFZCO5HhmeEMfdaDBwxFOBhEujF7dz7JN/bP30ezOzCJ5Mw8so/wdnj+72GJ300TZBRIXHFwVz4K6vfJKE6/OoYAYLV5Tm6Pm7yNNiLlW6BqYLURzpnFRXs5Iud1e5jTIB1fzocc/P0V3aSEf6scR48MAJlco3aV5wnSzIFvjVYIk41eyzDspr2i4FFNbkmERm9koK7CFyZX1gMLWlU7gE4U0dPR+7evftpCXwti2G0TGpOEy2dJwbWsTMI43HrvTsBWcw8E1uaYfYaDIPY+vKlWaDQcly/ETEhjGyHOcLnz00HBDFSp1ZdWFgIuGBOs5r9xo3rpKjuIWjV9MZbb6dnbj6V1kjPNGvNezITTY0fjjX3f/XKJbD6JLBgJxahGt7F6YiKn6PDE+O4C/ySwnz44H5YKrMQI+rIe1DZ4VMI84QU3XQgMnBS5P09fNfU+QtpHGzcKt2HFnEOo5gB1sJ5yyTgA3LbeDJG68n90yRBFmVl0FgBcn06KNbhGCyoEV1beHgfTYYzwTt7yIMQ68kN7+BIGHmyKFVPWg42B+7qRRBmZ89TmzcNbttO//CLV2AkFmLi1NZi3XtoaU2ftNICHPI53it+tjLY84kLwwFCUIp8l3DAqohdBEQ4ovDMgJENJKh9L8BH/+OvfhWWYJ4FJDsiyyC2FfJEphuTJwaWzZAr3kczO+nhOCI8Yuc3icQ98/TN0IJiZ2k/hVOKzfRTHU5pO1kYz7UGJSdL44K5ffs9Fko1cLBO3iHw69qVqzEur7zyqxBerZR42mv3urRCQhIVRPDvnEdtr4Vw4fWxGKUbb926HUJtFNBeIP1AnG4W+ABjdsg99gArzNPmVCxifBgWXY7EqwKfz2M9qywYE+oLQ3weTZw1Z38fIyuzMffOf+P4/5Yga5QUZNYlN+tAqJF5BkE26FFMa/RLzlFcakmPk43lCw/cZt89hrLR2gNwwSbY26NhbX0DbbYaGHOcRBi1m2zFBJBCBkM48vNf/DLDlkS31DJmn6nl1UBqYE2qEMLr0sTLCdsHWMFqVDq89dY7cb1qW9/z3t17XMNAaO4Xv/Q8C0XMnqVrWvEhtFBrNhwrz6kDZ9LP9PRkQJpetPK3v/lHXAdwC2EwmOF5pNe8TgXOaxXTe69aBAVRJ8vCXR1Q80P0E2Q6hFgLwAsDHTq9Om3iYfG3C8XxFKKYrOW1isnFzMIrD+GMFuQyWF/L5fuufvGLqZfxLnL9y/PzEZ4fwgrq4xyikQ2mOId5HgsolQrKY9dEfCzg6PQ5Sq1ge1A4ABdVD4/va2S/Mw61W5MEuSnOXnbVXDHaIbtyxoCbkH6LihEEZM6oGwOj1hGn5WAQfJ2Rx8QRuiWa1nXYE/kTQgDN5CY8rgvDyTc9sgvsqwdvZFB6TmHsQEMYpp0Yn0SbVCOAYLDBY3lphUmhVzNOlhpxHHytcKipDaD4/aZymjTDZeDlr2HmC5Edd+HCOc5PyBsHUVrMz4vR1crT01M4TThFCIp/S6nJmKjpPZE5IGJXAy/mGuuoyV6Mc18yMkKaFjSw9YKaes+1u2gH0930nT/5FpH7bhzJVZy8Swjpm/wAY7jWSXC18Onh3Bz3OxaccgNOCIlchGbnPf/8c4G7xe0BhVg0kygDgygqAB9L3OscFm0IrSxUG2AR7nKPBkBcnAMwJxY31GvUBDJX3sMh0dhBFmGUNymgYV99PHOEaeZvHv013nbm5Sf164c0/5M5sZf7/o9CHL64goqmamFVP2TyNsnD1cu/dPE8MGCSnAyqJeApkcDIRFMADxDKVbCgEEBcKs7T21bYFCQdQWGFyTmaY6Nv4mi/3hD2EZEn69A2N6gmRkhisLkenbOHvE8h0pHTi7+DI3X1ypUw7bIbRs66CCooYBMInfV+5kNcmp0NimyfiN4Cn9eUq119vHB+hlukChmz/OD+Q8wzmXFoK4XB1WxQReggdtcPuIZWFCPL59p1Sdz/JlbBGrke/tba6EyaFGS1uZywWWbW01UZBzG+TIcCOw80uv/wYQi3WWoKnoyI4XuT4V1YWie1tlhYXv3e/fuhrcXS5mkPAStGuR4XsmMj3aglcQFI07lQ/bwLSAtiA53wAJ+M4HzqszRNI4cYK7gcrkSFWeFy9VoVYpPBKlUPPt3DgLeZX0H2VwX6LQ8Xp0k09CwkMJKWJQqRdsiEmURUZkI052JTt8u6e+9+wAoDIctoVR08BcscYrGrSfCeo0Y0a3pqiiqTyfQavC/zGzzzMotCgZPOmsdsb6n9ud5RYMUU8MXAjSbaqJ0CF/nLRCs3mWirPoxwdWEN1NiyE16/gQev3yCG96B0yPMqxOYvyGgII0xUUqj8jFbBMqMOFkYjbG1udf/AaCwsaTojlq++/hraex9hJeLJPVru5QKSaTEgM8Z1SIFu2QqAhSPc0CnNl/LBgoilLfcSOhS5/iGqn8cYk0MUgsGqZahEnev1omkEMEclroGMQxu7SMUFXON7hYAxsXxX+ED8dTrV/Pb5HU0T5I++BSUZeMGkiv12yTKzbdYAzl5fvyXmFD3iEOrRV80LgMHQeVObtJISZyWDQnzAYKsRhBzCCCdSIRvh7zm0knnFah/bcykcCqfm0wYkBjD04F0E8qZG3dRmYtKnbt5Mr+Dc2RX0Aea6UqFyAkExz8FsNdkEF4dT1Ysw91MZYR6HTpr0lPhWZ62KppI67AdjyvFmRQVZmZfO4LkZFtJ0hu+9LheBS97XvBYF3vIuo5S2rTJX2Pvx/i9eIhDD4pCeU4CkIZepBpEvnkCbeo2Oi1jcxJ4BaDSz3vqg/7QGLjyxtIK8yaK/fv168NwW9vZgmR4+fJBmWLi+x7GbQysbrh5Bqxse7+/pZK5I/ueewUssBN4HNCTbCIinMH/0zDf72aYKssKRHTh5rtg4eA4mw+jcP7odA17eGBPQR+3Y2iZ4b2EZz5w6OkzoAJpLjz7TOmS+IdQOpqeS1vOcOlqaPCGBecL2fJCuk14aJ0jS4HJNoDGZqDFBmstJNLMpjufQcmvkQuyhfaTi1ESrBCxMRhf6iKHNeJOxEAIoJDXwt+fu4fkhBFoNa58KF52wRO/f5CEh0SoRNTWpeFgBMrTuZ20kU8Va9CNs8sjmSijIawQ3uhEq2RYFQ806wO/9LOwKSVamfroABqG9FMBnWIAWn1rYWjyAza6vBUxw7BRsoZgQRAthPaE5HVZzOJb2Q3bRDDDeBkEsnlXbujjeuoXji/admZqIhSvFJzsxAszZLdHAvUKOCddmq4Q8KbgfeSgCjan/yDc8mSc/lSC/L6AffxEyiV6/vqvynMPZsZ1TnWZ2uQ6Su3uHU7WNtEFYiu6hMQYVLhZnxMkwSlVF05UYRM2Y/OgITEB7lUoHNEMnecAP0bxqQ4VzdXMtNHwLiXITJMCbISaM2MLM9nXSyYgUWSewxx7MUE1OsAITC4EFJDQYB6OrzWUxxNkZTu9DA/UjNGR0QbqIy6WppNfCcULgzVmGgGBBbASGz3Ofltc/IDjx/PNfCOii1djbhz/nu6XD5Fhtfn2IVutEmMfRgHLsJwi53ZQ2uYYDINMu17XJwnx22p5s8N7ApRxfJk0orra9wotf/EIIu4tQzCrbsrq+Frkj/YyVFsxFXCIloA51NjBIFTYavsNcaVIEdugHV+C+ijZ14b0d3eB5Um1XNskSRNj1XbynIg74+t5BJNDbwDvfC0uCz2AOcntnTyR9uX1GO+f0/hpHyMDpnyrsZh2fSpB//cV4K9ntZIwyY40gKdkENumxSxvTDnjdroFIti+3nA4kGE+W4Jgiza1SFS53K8yrFJsJNWoxc2a7MZMmit8jAFKh/OfhAjAAflrnZnQCQe0kCQcYkUeCbR9ghYNwBnqf1gPHabC7j/1LjFyJw8Gje528rwxGHMfhew8NukLOwxSJ5ppOsC8ZeUgZE2oTlswi6CwppZHhhhDppIp3LewcREMvzC+EwItbzfMQN6tBxf3CIp3LPQS1FS3eAXwYG5fmKqeFlaVUWKTqmtfKfEcHDmuN7zGrLjfO+HEf3TznytrctPSpNy2hPdc3CY4AB0zVVHN0oaFtzq31MAlfh0zhtReIYe4d0gNKjJGh78OiCxKhxUJ1Ax0Wlwh1s7fLwHBfsDPmWBgprOfyaaxGh1Q2M+odIruOhdc7PMY8wimTLCSNiAcU4qHMfohJeF++f70I/RPf0RRBVgvHSjx7MbRayg6lGVYCZ8QfsZvmydRM90BuJxhifVxfCd6UFluW0lsR3c2EuTf11s56xPzFjjeuX0ODsq8bn7FQsqdA+byeNHkUNRLCjXsreGr5kpE0tFwb2tVJCrjCwHaiUQehlu7duRObItqySix58fx0hGc70JR5vteaP/G1jlr8h5YTg0YOBIJyQpGApVkHOlVgRjG0Qjw0RnolcMDssT2uQchh3rERMjW7P7FHBecb4LouYmGM4BmGbiyWA4RzlPausj117kEmYnVjLRgErY7n21wnwELOijBL2GFes4EUF1Ee5mUKnFxvweohkDI5q6sLsUA7WJw//MFP07f+6A+wMl5nVjibzw/Ady/THXWP+8zC7HYW0oqJ3W1h1sK4F1gsKgSv1byT39bRtG9WmNW/j/2YDBHrlBDyzAwJ6hdCC+YY9BqvuYumpThqqEuXLqVnn3mGotJJYAAJQ2yOg1pnyFrAwWaWzWHKqR4mymeiyjj7inSiGbY2aIqCFlY7NgZWbCrW7ePHPAZ3YjU0rpBL9KtF/Zmfz/qkuXXaIpMod1pAU+kYKrQKuVSX+FhoYdCjD4Ht4vxqZ/G1uQqW4cs4xIYxOId+Vv7aoIRlV538bcSM08V7xdZSXx1gcaORswizFR2eR6G2J4jcLr3FgnMXqtmByM+pBXUWpcHMsZCRGQWDczloU7ZVQMjtrWGgyQVuTZ80pNDKCJ/8tBUrly5fjjwWt70Q766s2OejjjN4LUuThSkx+KO2NwrbDfY26KIQ1xhvxyWYGZ75bRxN0chxI6rkR8epQPvAitbh0SRNkf7nXhb7UEQmoahE93Bk2jHDY+cvsdrJTsPEWlktK6BJ1lFScy+/s0al81ZonBHMpcyAOcZqIyGG/O1JLwJHOY7a3onuMU8CZqTRNFAHTgEqofEK5BEoZBvACrVpJ0KK2IYQdoMVs0JMLIeNVdD6OpXRZostvPow4xYLCC9cNGpFD7WXjp67I22Qe9HDNRiSrnbZckqNjNlnUbRgsj1/tQWKkHOLMhVko3Vmso2ODEgQkHRFqwFbaaFpvR+DLPaI08GcnZ2FJswqyRU2K6Nt1as/Ixw7LtMjA+F1rxYXfaELdoOxXF/dTC988Us4nSfpnVvkiXAfNkhU6C8Q+LEj1ApwR1bEYkrPp4II7cw92hSxhffKiSPiWUSX553qz/NojiA3hLjx+Oiu+AUhDGFmZvrpaVYp70c6YBvaFAlgQxXyfjG7O2iG7j5TJNE6CGIJQn5vnoQhNLaBDht7mz5opM8ggd1yNKfPPfccUAJBQ5N1gPeGxIlMNBAXY4CIqFE5X2bawcVQVQqszUYuUsL04M57aRHW4Y+/8XsRYZNtU2sHhBCisNCOcJzka4UFwgeZEHMZDKMju/RXo1XXXjEWVx5t6d7NQSkivGrvtjYWEIKh9tbjt8ecyT9dCiWC3An86YefVagH1HpAMYYFXL1PQS1ROK5hbIyxYyyqtSEsEUk8aFw1sgImy6JG7u+3+xFan+dKpAXYIkyq8vw5MC/Kop9UgKvXrnH/ObLx/p4xaIX9gd7DJzA91n3CreJeXlnnfDSboYC4rweH3WnknBnUABnxu9bSJAQPh7rxE098Dv80R5C98IYQP3YTjdsDazJA9nw7Yncg4/R2qREfDwyTp4CsV3jdUh6pIPswRFYcv+/sFqlLhjlAcHf5XedJh04Ky3xe8w5OCnjlBleIQDET6AmSW7DjDrSLInIbmOk626tuIcD9aPC9HbCn+R1g9m5YETe5nGIy5WuNJioZev9WclgJbrTP58SGtm3VIsgxG3QwOhesBkJqJYYdfNTamt7ODmph1GpqfD5vXaLXpLB5jQq624SZ72z7q1kihQZ1FOZdmIMCLQi20bQWAZgjkRcqsVhMhjKgZCqliVo2SFecbDMm72x5laX9Wi01pyF8/Qq1s3uKSP199eWXIgtvFedxCcihRRH+tLPI1mFCjo9buJ8sP6SL53M8zzv4xXltOPfvT7jPfl5H8wT57B00hDrujH+YSDOluhG+nT12YWEST/g7h+MxPmlRqaXxdOdBCBXSYYTbPApTNV39G0ARy+RtiuIm4F949gsIWbbHmyHrMppveJCcYSbYJifiwU6EVXzslgIyFYazpdW2jLTBeChUZQTy5o2rpJguRTaaSTPmKpuPIDshNhabmjNhDrEYWbfWaKI8rVrO6xOa+GM0TWdLSzGJGTeUYrdMBd2QdtbQJYsKml/iApNlsMBgFxrNkP0IPK/jsbVnQ0Yy0nooPsBZM/jSgha0S6nCxFABMSzRIoyM4PK1HHoqGWuS4706dl1d7PFdoGoFvH7IPehPlDifVS/Ly3T35Prv378fDWL0Z4QRMzPnUCiEqW3Czv2vQ3t2Yw3diEg6MjZZR+i9d52uxnRnV+C/zT+aL8gfWpY+kQlyJwKiSXLLXicjazFL6Q0mrh2KbmRoPHDi/DyZckyqyeAlugq1g0En0HTi4X0ah5hEZK6AFQ2aW4VP79y9+brAvkILedANuWme07za+bIzR+QMPOim7u4118nzatJx8Knsg7jQCdxDO+tYmThvsWZDg9olKELnfKeZdREKR+MZaJD7VvOaAGRFSn7QVgXskMR1GQ6PcHc7Vcj7blxOfjMLkbeH4LgYjQpG3gZQzEpr95IRmx/jpHawIM1dcSEokK30DanTQ7l8ZH+39jTEmMps6IzJsjgWjpM0jr6Dmlb4YUmV7QmuXrnKwl0Ey/em23fuRpDHiGAPVKiMhZYoy6ajf4djDX+tUmH24lx1FsMx148chxA3pjweleqzks2fzTiaK8iNOzpz5WJIJ0ysqpCYS2wTQqNXvUzeCdpHE2nTkRBeTLYZXZbRW+Y0QdaWeRo6jLIJdrxRYM4TOXPCMt4XZ4vvcFvZHPsnG2SIvUhIRzTkqoY2H2GSCJeUWadOEyb4EMfSKJghZE17F0JuxMysOwMJXreaTithpM1MNlkBMa05GNUT01GzVmFeqxUv7kIlO2DuhgvOc5hQv4swqP0URAM0GRuSLRIXkUlHWiEFvxXu1qY1ZvkZcbOPcZnoZ7lsDwzq5oZHeRHNi0Iw2NECRj8BRrjzkumiYt9h8LN9nF1sNnpRuCKbkHH0GvbR7OYoG2HcZsFbuLC3rNIgCkvm30U09vraJsEWino5t1mMnsTWALGvIZ66C8T7axxnfm081bTH5gnyB+/i0d/Z8hTfdWJ+LUNSq+2D+3roBiSW1JlbxLyXD48jOUeBcbDd1HB6ZjK07tzcPHTRAIvBPS+guBCmXC7roRwayHAzpP/+wS74bovuRps80teCULRl7HctC2KSxyhbmhwfiY733WhpHce7762kK5cvkWyzQTU0vSacLCgs+6SJFbG2TBrYm88rbLIHYkzfK2QQt9sGtlCw50YmUDZK1DFUwOXGFxapFEGTm3xkIar5H+YI6xPIzLiwxd8ufEPIh7QLW2dRPLi/ED8V8pPF3+1YFQMpttp9+eWvABEuEoG0HYEVNPZNJgoHV+5iV7OK93U0ObVrPXwKtbOH0Uk/+80//iPuq4MsvDdYrBWcvTUUxQz+yyBOuCVd5IWw6LsY43yXvSykDz03HTpRLI+ObKof/dnMX8586xP8GkeocROnAtz4M3sBvhjt1Mmm3KYFTjBxk6NDRL4IjlTJNSATTI1kxbBOlCtdKspJWSMcrQNWpMpEAZcyM4klOGMcohyDerhFx05M5Q9/9CMm42202FqGY0s4Z1xaB10p5ZKLBziF/D4zOZhe/uKz6etfeTGNiV3RqmJeawFjH2W1LZCiaKiZ52UUjhCIOnvP9cvvcrNaFys1ogtoUCStdDpajsQlzbGppg+o4tYlsvrk3Mw0PhKNBOHIo3Ej3ykW70U7h7VBkLrhbc01PoB2e5W2s//pP/+E4gI3CuIeWERHZe6G/zvY0/C4Uk//8W++n/78v/lu+rPvfCdNTI3yvFrTQAW7AHDeEkEmOWcXHmgrhM8IY5nPOn5Xr10NhWDClLDC7So6gS2Dw/0BaXR0VbkuQHOv22klO4zFM+DSRTQ1HD++8dHcn/1dAXikzHzhyR4tmLn3ZezJnvvR2d7/An5jBKW7HGB3HJLuWl6cx7zn0Iz0h2CCdtCeNt5Ts+lAaPaFGWJJTbC0mx095U+tAFGL2IldAXCw3nzzrfT9H/ww/fu/+g+YT7Z6gAd2/2u7dYqvI0LHFWTMwhFBlN1wUm5cnkm///IL6eUvPZ/mqdnTASpXwZ4QAEYA3ebLrYnFn5ub62ElxkboDYHQmWwjhpe73Uczey1zYPvrV6+Gtt8hQmZkz0y5brL9tEKGlLtZCOYdK0hSiaZxiuEt8ZJhuIfl+Pf/8Xvplbfm0MBSZ5NBmx3Q4PAY7tdeeRYHmPqptjXSdxEo8N/9+XfTF59/JnKRZWL6gRZautjLEA1fJKhkjrHYXupPx9Xv08roN7DGOF8Fpw+LwUIS31fkonH4mIKAfkMj42l8aobKkhHGHaI73FkXz4e0F8+dHr7UBIFujkZmEvwvO85etc81fsCaYkb+LjCQx5UDOlFSkQG0sDTIsn637hXTmeCus2JUKjqv42ho+oZJMNeEytEqCP7cwVn5y7/+6/R3f0eVMkI8RL6AVc+GpJGUyF3WUVFDWdmhmd0a2iDEu5Fu3VmIIIt7kUwTgnXJidUr++JYIATXaTd8qTCDMrImZu91IcQGPcSY7hqq2XcRXrp0OTT1CthSjGBo9+TExjPkcNA8sIOghsyAFsDryRxVIoUItjz1m2/fSv/2L/86LQONblwjJ5oInPTaJguvCiadIorX09WLo7sXzpvtCPQblqiE+T/+z/8rfeXlZ9L//D/9D+minDiQydyKwaE+EqcGQxjF0z6n9TFJ3++0zMzgk53zvc8SvZh1brtQBnk4t0KvtYAus2xe5ePd/aq9U649UySPpv5UAj6Ph6YUn2ZC7M02hNnbzn7PHjHFYN51IIRNDKcQGk26HeVlEGwxZSK8rZ+swNjC+TCFU8pJFkCHwjJ1N8tRQ3chEANoSSuf/+9//W/S3/7tj9BM+5hXQq8Q/FeuXErPPPNM/G6odhWhff2NW+nu3Xk06yZC1ZZuXr8SORfLS6vpvffupj/8/a/ynSQMdcM+tLo/Bl3Z0Vpeh41a1KhR0IrFkHFQsE1U0nk1spdVdNjs+ySaDZ47d47PAlFYOGJO+zkbxvY8rIUw4+aKyIO7eG0m86Of/H1699YDtju+SM6GOdEjZPtdiJInKbif/PQX6a037qAxSZBikXz9974aGtTFeXLiAmdvQmi7KnBN+jD8EWCBxbvr4GHpQUPnWjZhm83QffzhT35MiiuVImPDEbbc3i5KAABAAElEQVR3vPVpVAQFrjECLsyo+dHy16pvF2YUn0ZOTSbkHynAvvQJL3/kZ36DJ5siyGpdqarsaAhw9pecqK/b7XGB/hY7RNGEGhalusmLgm4aZIfmDTNnJ0xNnRUaUlIGHYQSMgqmXxpxEkOvr6+nH//4x+l7f/N3kX9x6eK59CUggpUiJtzPXqRYFWE6h9nVSTQF0gYxaklLoWRR7OdgU+wNnEITiYaHRoIr7SI6qEMpNPF9R8ALzbQRPblfHTPvSs5Yq2GLLwXf1E3zlLOcBvrN4SyZrmq18wZ50C4Ee7ZpSYzMWWxrXw4rNn7+y1fSj3/6X9JLLz4Hm0MfCRbb008/Bc99M+gy869rYHTzkQ1Hu/WxrbKGubfLVy5wLQgszmEZ5mZ6aiyS7g9hO6yR1EGV0TA66sKyV7S8uBHDVZq5TJN/PDMzFVZCh3huYZ73mV1Ix3zyMFy4/nR3k7+BIHP7nBfIxsLXwnyipDZJkJsELbiXx44zwqyXwbTbEd6olnF9E3PsM+xhCqQJMvcYPPNqTVN0l07pMLlXNYbJ9O5KL8ZVwBSKe/fuRzcg68mEE5cvnWOwSRBf3oxKbPOQo9oYXDgybIsAGw7CLmA680zWApGsHDMyNcGWaGSy/c2Pf5quP30DfjRr5mf0zooQJ7C/apCC3minWD7borhAo8LVcNBsJ3ALiGOF8hFa2i0iooE4nxU2CG0meW0MZ1aT7maVantTN3M4wGvg73fv3MbJIsrYm08PKDboYBENDoxAGc4EVs3lKM7FTzC9tdqWBTXWUQr/+Orr6fkvPJUsbq2hHDbZjuxVuiQpgFevXENh6FS6gafttOhnzD3L21tFI6Mi67JJwMnkITnp0VEa3zB9h8CNAs6dZVl1Fmj4L1hIvc2os0SAO7E+eYT7E4XZjzThaJIge7WmviC04dyxRnnKkhlTHE2YUXjMLaihhaWJTD4BsCKkOHaYa6srpHTskGnzPevh7BVhSmYOrT5IyiP+YFQ9r9FL7vs//CF9iuE/2R/5W1//PbTbYHr1zXfhn9lbbneaqgpyC4hEmWW3u47J3YQ1aadxNk6nNJc87TJsQkt7jQaBM+nvf7aS7izdSZMXLgYOV7PLsAgDpbF20eZqo+npGbRfjTyLzcDLBkyG0LwPoQfnFxciMnfEBjatCFulggXBIZI1MBhkyNycBdsKADDCZO/tb6c3br+etvfX08wsTlQH11+kOpvw8PERwr6Dkwccac3ZG9riAbdpIzMPR1iKbRO8fO/BfPqD33sJOPVU+tnPfoHfMM+3smk9bM4Lzz8fbJBf3g6bgarFWSGYgbC6SaTXPzU6GRDK9x/XyCZkAZYI5x8WNyKA4n0PQv31kMuiNXELOJGHVirR1zoTZJ0+ZUC19f6hZPjzpI8mCbIXq+QCFLgLhTh+EQYgrG7/5WJ2C63IFwbj7eCwKaTmDqj1xHPRpQhNJbzwPJrynV1DpVQ7yBsj0OYLS/h3k297sq7g53EUmRBMq3Bjc7sIFr5Luc45WqJSGcw+HWLLuQfLKBNbWpkaarI8RZ84jntAnq5+NF1/R3r73nvp5S9/I/pH+N3i4466IWCEqKSjBsPADB7DtartdXbsj9Ze7yDKqGNmZ3g7ibLZpK1bmfSgA9iaQGFu5TVxpe3BFI7jGvuTbB0ixOxpQu5w33BHLNTlVQph66X0q1fgdWFR3JnJItZ52uPqS3jdZvI5DkI36Ub3NJzCYbMHxsqKxaNYLwRXzB4b78BClIEaMh1athY0tTkbwh37uXHB/E/FtFCHQJLO+CFJS71ESk0rlf6LbYHR9N0oH+FPR0FooSArVgJGgWLDK/KZT9TVvPrpj6YJ8ocvCRyJNOqc+aPz4EqVdRCb6eAYMNChs9m2mkGO04bYljT5XvGdaFSKSLwpVjaD67C/xKRN4ewtRnhV3LsD02EzQp0pnbqdrf+AKe0FSx4AAdbxzO2aA+XFKlPDimvbcViOqEU7RkPZWPH+PfuyGQnLNI9ar5PrrmE+PW/5SDqQ72DrNC0NqxQqi5A4wtXGfagp3S5se3MfzlxcT8gYZ6gKZea1R9NtBKbKOUz/rIHVbRpexIqY6NPN+4v7c1wDXeE7W9Irr71KNcx80HNWz8jl+j4tlw6btJ33pDNqOH56eoxFZ2hdxoRaO0LvlmYZ9bPPm1XjQb/hnGoV3n7nHeDMUJpAqehXmCrqPSR2hzCnujNvdh3FwcA39wN3W2G3b3Bu/P745czEK7if19FcQQ5NzD+qUw58oUyQGXgrEax8KKI5jljxOhvG9RWcyDBjoLcoRt1gwty2S+dJHtnO8VbrBgmPkKiJdKAs1amJ0ZiUAiHYlVW29oL3NLHGLLm19R2sgHv5IUgIqpwnJAn7K2PWmQTzFfLs6HnInsw7mGvptMX5TfAftWk4MRljIcWH1kOYFeADhNVUzEPuw72mpdAGCJYYfjadiKAxbAKLj++x3s8AhzkRFb7fvxVee1UYcvf+DZ3Pzy/hrFIRAxb12iOAQfCmlR9bBqwSbfRaxNkmI6nZK7Q4qNNGoUuNSyTR0Ra3WkyqMjD3w1C7VR3mUDgt2c6mACvmQa1slYnUnZXcht1ljAz7i+H1D7SwOrZbG/DnKB5hxNT0OR4Z/yqWUcEm6/CTDr/Xn2YczRVkrjiDFcoyegFJDo+XwVP4LMXxeQ8HfJ9NZczxbUdgvWW70/u8PKYwQ21n9Ez4IDesNvcLZAqcLCfR1lKaXkQu0xC87ncge3xeHtd0xqyUXk2lJlEre4Rm4xoVQZ3MIzCo9W2NQ8dSIRIh2OjvhHrBE6itLgR4gsCBpl0qr3JkPnFWPaF2VvOaeWbgwR2PWrjWgES8V80s7jb7TRMv3bi8sgnLMhnRRKk8h8huTL5PGFRjMSrYJxQlKNBaFG8w8D4LzGR8/RO3QFaYzfYT5pgTYk8O9xqMsXc+WPyOn/duY3MXy/25ecLi23zvSWhox89UgB2ec7Mem784Ygr/fsEc6Yyjd5s0KPLfytE0QVY8HYBMRBQZ/mNgGontvqbQCikMBPi7JfzCDifGrpPmIGg63VnJvZQ18WqN7KSa54xT1gSbf6wGM0FImsnEGAW3LIeKCY0ghtPLNTipJux4DS4Shc+JLB5Ymu/OqfQFRjMfsR3ZEv3mFARhjZ9TRPT0feRPRB5thFkuAFuMSnqPffCx0nhWn5T5sS+x1JTwRcE0b0NaS8H0M+ZXyPOaDmnLrJ1tOoSOomVRcJkTB+rkOzryVMoguNn1WLaPMhDbItRem/emgIv3LcC1msWgvMn4jpmLUGGO9mBcufCNyw+hNgXAjk6ex5Ism0Da88NyM3dtUsM7R1KhkXvCxTu3jmGchO92DHXxPurI5OCjXnkyzzGUzT+8VQdMnlUPX0F10MXC22RqiYNNSLd83eYqDogJNAq2gmtucS+41CJTtWUrAmtE6gQNrEPZjhrQDPqeg31yNYAV8qSyDO4jbWWElNoRrMExHl8Lm1BWcQarBA1y/C79yTNcZJXzTHANYGk4WBWdBZiRFcd53EvabDlZF3/cX8OATuxMBdXlB9oRBLcuMODDzEcuhmH0Nq5RwVFbCqFcBL7uwLQCldx30Epp/QWjdvu7UFzgdVt29fefZvMpLF4Un9WXaCNPRMFjSBBgzsS1+Hwvzm4vEMfMORXD2Ch9M+j1YWqpvLafkZoUFjkf3r1Cr2GSXtP/8LrslbdE8pbZeAdEVoNDJxBjA0WT/rUg9lZmMlmEKojHxclbbPzwa1OPx7+5qV/lQCvI2Y+pjMIMIYahUXFZlsVGfjADFBEnXjexxkVgMrqBAvGzSsDPidXEeM7kMzefAXYMhgleIkFcLT1FjwsFRw2mIFvf1p7nlqGIaifgvhx7+bW6qHjkdbXxZfItKmxP+/ABVcZdtqCC0gPD25TcCTcJ300kj6H5Qpj5G0VHmB3HiVmzdKmA1lPzmclns+3ApThiLlYnVm2cQygNAvEP3DHMBn7AElrQHAgn5aBIv7rNPbR7X7APJheZ5yEk6UTbhhXj1js71bLkoaCJoR6AHXT0nxiOimxrHOV/pwiIXL9+JWCFVsItFXbpu2eOtlFAE/jDB/AGOOzlLJ8sW+TehVvw5WF1WKBWuSj8kWEIX25HJedVW6Xi+bjDM2dn/7h3fLbnmyLIagEnzUP8GV02HWd+9zXxntGkrPo3H5pWITZC5ep3KwXDxA9pyLfHZKg5lN6g41j1ft4mhDa61rGSGhMzX7l0MegmQ8B69F945iYh3YlYCA52nglvxesWZ6rNOrs09SyDHB48r924YYfMAdIk2bp3jT4UUHAlrnNx4SFCSz4CwnZsASjBmyrOWVlaionsRLiGbDEAQyDkkPe2Utoq6Ni/mkchkgyA1+7e2O7h7KKoksVXZrEU4aUPELAWhKQDgTosUrK/RK0c0OH8DJXRI6RLqjIRVn0EFTE6AQcTDX+apmmORz/FsFcun+d72CSeBW1ltlXZ04TExSpZrzy1L+MBXBJ+tYGZDf3bMMZigS4SrIQQRvNMxlKxRIITjrXBn0uzswG/tJz6EMJDfRlxflyUmuZzPpoSota7VZADV8bgO4aYRVa/N2vf3z0ghZNujq/4UCigZy1OnF9YAB6sgrfYnBFTZw5AlNEweQq/2siF4M5JHSTzaA6FHKMjI2iPreiqqTCdn52gdMou7pXQ8GojJ9Ayd4e6rV1ul95wEPsXL06kL73wFIuplH76k1eAC+yqNDWEVu2NoIbha7WnAiiEsPrEsic5cakp86H9TjPGXIxqLdthyS+bh2FSvLjc191EXQ7cFgRq8E0CMfZM1tGSFsuDhW3WaK6EuzrNnJuJ80ibZSwEexOSLdiRZ0A4TPRvJyI4NNSbvvzSF1iMI+xX/W5siXbt2kUKab+erly8TBAKVug0S85PigRCyTAu+iN2WJokPK21tADBnG+dURsV+uiilEMXt8eOATh+Oo3RDJF5cG46GS9rArWSmDwes2vklzj86/FnTl/4jA9NEWTAA4KiE2KJ+PtCbMBj3xwHBLkI5mpgNG/X3Fm1gZPnpGrqJiH0De/aX02h1/nQMRJHahbVsg6sQm3o+uqN66G1TMF0InZJmLl69QKRuksIlpwyjAjaUyzcikYeGBBLdpKEM5W+/tUXgmZacydSruXGlSlayY6kGxdn0yAMBK4Rcgz3zL0p0AqzGk7nTuG0H5u4XqrK7qAyNLIsrTqaOHnWCoqluxD4NhZPnQVwAuSp8aPVMeSu9htiwVhw2ku2mRYqunPy6BYO585PBb7WnLtw/JF77wMTyxl/7SsvRArn3Tv3qbubj2SsP/nWH6bfe/nlCGJYCygkOMQiaBkiooni0NEzgcjJMm9Ep8+UgCWUia95OM4RQWTxmbBkG1/hoIlVE3D4wicz/9rDAUeQQ4gznj5OcPpPswS5KayFES6J9szHR6yZbPGwFQSPymoYBNAEGo/6OoTCptaLC/sxgGtEpjSRJtpXKoSlwaMnbB6pVpZy04nZRxuIecV6whVNpKzGl56nEBUt8W/+3b9L9xfupn/42S/T1evsAHXzSmR0CVv8vNpjgPOLYe2LYfroEZN5fnoy/Y//6s9JaFoANpTTIAlDxwQ8jg7oH0zkqszG6cdOkpYGrW1c0OjaPu+V1xUnCoG0rtJtasu9Evm/CI9CnCc32IC0lRdG2XgncIV9q1k8M7T72seJPWYRvERz7mtXrtBRaDO9eetueHNGFi9dupBmZ6ejb7FFr7IZU2SqWYAgJXgHSLZGwOcZimi/9cffSF9DiO2lfIi2tReHi84xlIGwn4fRPjWs/Lg537soGffSizC6gSU+k1taDsuotTzYMwAC5YmA69y18TkXhD5LW17nlWHh5h2eOBiHR7+fPtWMhyYJst605sUD7cPEeHOadvNXpXLUvNhl/q9G4ecOUGOfwtJlqipsuDeGJs74znIIt3jM7Csz4KweUQNL2rchNG1MoBSXCUNSUn/w+1+j2uFS+t5//uv005//fXrr9dvpGsI8joY3/VNrYXhYjep5CppFnMr//r/9s9RP45Jf/Py/pKWHK+nmtcvkIMhn0OQ6Rw4xmrTGtVkdol2W5jIZXjjgxLb3qCVtE0s0jfs17GxTFBdbaOkqFBxMCdKEKECLgYWDwcG5PCyywSRi3c75hEnCJy3BV156KX3zm5X07v0H6fU33yasXGJBGnrGmeVR+KalOmFR7FAXKJb97r/4Vgjw9CR7BrLgN2BxakAhLaLKxGJamx2qAEzDtHP+9BTvRdO7IKzJW0AjG3FUQPeL5G/cv09QaS1yXhR8Azru7qSC0kIedbOLAFr50YEAcyPZcSrMZ5969L4n9EuTBPkUe525SLWzdxbcKgNqY8IiGNdNvt1YPNs5KAsbi0uliBomFImPv8W34S2zCORk1fr9BC4sXk1z7NCJw2eYVqdIB+d/+1//l/Stb/5Beu2NN2IbBSQFk00/CDRPOxrc/hFuvXUJ6m72wmw6QehEDkwTCUZDaZ9kmF5wqN2QkASEiC6dCJmJ8OLeI00/Gs3vdLG6eOWJjXpJtSnowdXymsxAbAVB668qgQqZDTW0zVnMBKwgDAP0d2vj83tYABd8B5HG8RHgDaVgL3/jGxFVs/mggYk1ImxCOAVZNkPtOEGm2qw0pFaEwtRje7kRRdyhjdja2jKjTyYf0cXIOyYwYp6JkVQx8coq2YT8jjmJpC13mXIxvfXuLbQ/Oz8BJ2yn4CK1BZeNxadRAOHYI+xCnAL052PHWclVmH2xIdyPvfGz/9EUQX7/ajNN7MVnEbEM/Gt+bVxtRpo5tHfv3olEFjlazZCNtVtbs7wAhddQdtBPsAVGyBQYtd0RHTvNu1BDu1WvWiOSjRjUfNmEl32arMykG//qqUjMOeLz5ueWwaeaZLVPJxNjY5gSyeZ5cgcW795LOWDMczefTW++/loaHDdqRaJNRLX20GAWx2pe3csEbplJ7QTDC1U8nDsF2CoQBV0zrPAIJcz0E4YYEauWcPSCdqOolgR2czc2CI1LKZ4Q/VPwnfMaQuJ4mocxTDW5DrF7Rn/p5RcDs9vGwEQrFcXuFu1o0cDb0HZba+5YKovAWVic0pRSjPbG0Bk17G6RqwJYRqvqnC+B0y0I6OA5t4qQ+RiHfzbzTy2uYxdV6jAcVufIYAzwmtHC4JD1G35LR5ME2btxSp1UrbCg32wvsVjmAKyT8yr3qgOmBrWKmNBGZMTZz2F8DOchNIAOo7DE6B9YLEnFZeyFr//Dz34ekMOyJZ1LJ0QOWs2o9l1bJjUTEz5A/7R22AAd6n4SgtRKMgttLcAAZKWTdlA1uNvdnVJ6+vqz6da7t9HWI3j6OGXQWnKv4l2rrDsL9FYGiuSAGwqwebt5cntP1MBeI/y0rQAsWJV2k2042FeoM8qrjJCai31io2wij++8swLdVUBgRliU8LSMQ41GFh0sLAttS9BihRHOI/eOMCl8xVMHUZg2McHm8aRu2mHIho7mEhf3YIO4PnOPDUPvgMMVYp23DQJQYltpszwRUbPnTOx3MSwBKazvk0e2AkenWZ5fetQF1cN9WoamJTNCqPW0uaF+gZrdPJffxtEkQX5fE3tTGawgCODkc8P+jDJpZmJZMe2ORNE4EEYhtiXD5GuGzZvQlCtAdmqvVfcfORbbXbtox3y6ThmTPYTdtCU0BE6i2/ea62xOhS255FDyh+59QYsn/bQEkY/QKhRG/6wZdA+5h/cesGfIYJp/MMekb9BD2ZRSstx4TbbEPGDNr5qJ1cFEYjX4vAlLNgoseb3cmy5PK99fJczexSQfgDEVSD9n3sUJQrtnXgmCLt7cJuPNexwg2R/54nmCNJxHJ9mK60M+N4kGLYOth7BWruR3b2PyCVQUWMwP3psLbB6lTFzjMVain++1TazUXs1wP2mYR/DgBjRs5Ws+i7ShTp+LX8gnlBPLi/vFvjqJ58i/uHBuOpzY5TWqUVh8OtVlrndzE1xP0SmADhhE1JWFE5qCvx3lONRnp79mTzTn36YIcuhitGz8x6M0mwzAAZUFNTOlgAdrhIDffus+E7rFZNifjGJSys6tvdM7r2mW0SRtlJtPT5xLG+1yrasIuJ5+SuuQ/eLoY7CbzVekhgozEwg82otCyHdvvRnwYQQKzUqKQ/CtRapqTZOKnDC1kg6lzIHsQxvXurW5xsCbyUWHn82ldGFmMM3dXg/h6kPDC5HKpID29xPgAGO6AKxgUegmcL7qZNEdIaD9wyNgXapKyNvYf49GjdzzOrTWCIETuW/7OkMFs6AHgmlxbw97YAz2kZZJslLJNFP6xHmzZtVp2sWnG7R7vXvvbmjfNqoBRvpHQ0O//c67aaN1KxbWNj6D4xSFoWhdtWiBaGCNXGZD0wMsdhefOwi0wMIMMe72yJCXR4bDKTS659YTZhcq6PbhO6Kz6Z37iyw2MDIaexIHcWCkDZh4mAZHprF48PkKM4swNEZDgj8HYW4Sj5xp5EcRPW5Ic6jg1dEYYuE1erLJnVpYagqkVdGGiN2zWX4UuUAos4w2JxBJiWCHe36IV9Q4YuOxUUpzSDJXwJzMyBlAKK9fvYy2YNGg9QdtH4AQikNNy7Ss3TarOmhuOQbGCGF2N6PNrXWEmVRJlvgE7Qnku+V2TQ/dQnMKFTSpCqZYXX7XvszRBROI4SSbrsnlhxY/IALpPfcBNYQgatst7kHKSotiWqbbI6hN7SbvuaxiMdPUZHgT9fMsRBshqinFtw+xGLZDGBni+si7/sEPf5IuX5gNIV7VcZY+c5Exzm4lfOce2/NShTMApLLRuMENYZglZe4Q5T1JSdpTWgdaS+EWEW60rkUSDkYXUfK1d1iAa4y3FGsfO0HpM4zQCNHmk2283oaFitUXWviMKmYuAhN+8HmefRJHUzQychTCli1IqTh0M7RQN5rWChGzx773ve9FFYM5xtbCSYNpXk1UcSLcHGeYGjVNoPcuxSQWMziSNdZGg+KwmRz+9a99JXCwb3TDR3GdNXMDNG8ZRdCLlPNHZQQaBbIu6tCGEQIF3EJX8W8JjR34kwk299mOnANoR4BNcKsm2w8ycVYy22duBRZAQerhOYXXvhat4JZ2JrjA77aV7eGetwnWVFksRRwnk4L2YR1sO9WKNhweHA2BlBazqaJ0lhqtfwAN2sdurwh8ic8KCVh3rF82+KHN11e+/GIshGUCR47tV156gbHIUisbu64aJNrYpD0Bi+UaleQ9VNCYCWhrL/luj4xVydSlz1ldbS9p+WRD26ZrKtThgLKwvM/nn3vudPespahSmZo5R+0hTiPjpiV97HDiPP3ncDRFkJENZArzwiGf6s1obdQoFjlWgQ/PPvc0POgoeJn8AAa5E6rJ/AcTavxAO9jLLLcy0MFex0airKR2o3JDpTo5msd5klqqCL/1cRcvz8aEqmXEk2LBPoQ1w2009uuVIhMbsv0BnLNa3v5vOmFqvzKwpAsmwfKgTh1Drn18bDIWU52yKHd6euvWPZ8mIgiOZ2LvzS0iLFv8nWlty+Kl5+wKb8i8yPWL9PcRYr1Km33Lh69hje4ezQObxsOBNLgTPDLC08PuTTnO04Jwraxnbbv8jOyAnfbNb9ChFbppufZw7CJ0jSMnzpUlMUoa0AcFYKR0mAV97vx0aGIFztztXfNVWFS27J1kZy27eB6wn4j9ObRWcuKxPzUJWDa26SxQbEAx7y5j99RT7AgAjFKTu4/fU9T5ZdqYm41DKeY4fcj+aN6/zRFkxfj0Bho5yJHFxlQppP6r42PwwriEpkuCvavLrkJeEuFoBtptFJaoS7N0XzyrB250yh2ODICIi9343AQhve57dx/QG24qeE8nSzMpoX+AWT4Gm6s1h0fGKJl3GwG4ar5JaKNHbuurIlrSIIWC3EOI2KbbZrqR+cyEUEFCsCRPiqVJSk76FmZdKs0Ol71wzlGhDOQwZ0HIst29kiqs6joJOHarPMS8e38jmHh7XOwi3P0sIBu9VOVpWbzuyWEzmDoLzkaJOlXrBDqECihKcK6mXhEmrI8WFD5oVcy2k5MWGz948JCFT5dOtIf7A169NIvlIOmIca7w/qzlGLkVUHXCrT60f1CIJv6HtyCzZHFBDwuUDdSZG7MWjYrqTdg9aY7A1SbjPjV9PuhIfYTf5tEUQfaGHi1EpDaEGdyngMoARMEkGCxybynKrBOlsm2UOzqZx2BikUJmF3jUW0yiOQziS1kDM8vMCZibt5EhjV3QjA50mEEFA+2hhpMdEcPZGV/h8Kp0NL0So4C+rrCrvSgU4nvQtODuEZwfNd8Ommlvl5az+0cEIAhR8x09fYNEvOppkWiZVdtdQqZu8qNZLHXYgQ5q61phLzqBCFUE3UwFS5jauL8igY61ImFlvrOfhWSuwt0HiyGoCs3IGI20YULsNxd1fODgaRKG/L4dooNes+PkxpCOjy24fM7OTAs0NzS0r7lojJG9P0zI0vlbBaZYVuW4BSfPOBrWdy9CN5hE/kO5IMEwMFm7AIXYxa/WNcvwmOqaLfKkDyxcYCHb6chF78KypUFoqEcTzwV+jkdzBFmV610xKHLEmf7I7soaMKmsCWidKknupQM6TWImt3fAwgixWE7HR4ZD3T04RHGptX1oYnnfOgNr3wiFw11Fg6tl4E3rND/gHvs/y0lLuQ0CQwxMsOUSn+Uq0HJCC4XeSopgR8C+4kkF1x4b0n9usmPDk7V1msegyQf6yarDM3/79p10b34xugIJayzA1PnZYXILmNkBOdROhJhbNbPtmFTME7UgYje3Nh8LphPIYIuCDfDo3BwNChHEixem0/VrvVwzC8LFoNZFY+vk9iDM1RnuhUUl5y57oVDJX1+7fCn23FsgF0KGQqfNEisFy/HIco5tF0D3fhTCMWMQiUxocik0t0szKKLDaqXMOAtEWGGfN4NWzpNRS8ezv2WAZuO2+2Lho0hUSB34K6PgYwVaExz+D91B42gIdMhC9lQz/22KID+CE2gDNQcjG2YtAB2CrXI2AOC+zXWqMbrEx6d+gqS+nLI42BZU7oNsrqy9yPT0jVxpGg2Nuv2vkGRucTG8+z36VUjyT01PZJu0I/RZCRQuHgLt5KmhZVM0/wYqrG6W6XDvumAjmGS1n61aY586aDA7tU9MnoPPraefv/pOWlzbiNZUOqhbbNZeZGFNAQOuMKFVmnePyDywWOpSfEQB0fvpB3QN0oG8ygbyZp/Zdd885qevXyZN8zznh8qCDeEWWYKWTtEIBYsRvC6qQCE2489+y8IyHcRDGBUXtL3q5IHNn5BlGAM+CZW8PoU+Wnwx6B2dBnPYixArJi3ZaJ5ozZ6L+ojrlT8Ox435kNnQ8QtFxJj1oRB0OksVOzTBzqBwfF1Hk8lhnhGnhgB/UGo/7vkPvu9T/t0UQfZaGk6eWlkM7OFg+7c5xraV1YNuwcEzuqWQipfVBJL0Jr+I34QUDrKTokk2kiQvbeWvrIPniAoMNIKY0oHV7InxHFU5Y5uh6GRKkSkQajNzmLfowlNiAgzI7JLHLDU3NDPJ42HmgAFD6givjbVtpDI+c4EdPwfS9+nJ9tat99LSPZqG85lqGfqutpuGaQDTh4Nnuf86Zr5P3I+j9Mbbt2ObgwNgz/7+2wG1pgj9/tl3v52eI/nfnZNMMxXr53BE3bNDIfa6tTguQEPxHrEnCde3wfiZKRfbMxBW1gFVC5teqTVRKxvw8F7tTN/XT9Eu16eWHx0ZDtpNoct2iSVNlAVn6ZkBk9iDBI0rpdkF/NCq6gwbDZ1AEbjAGWgaGvZhBbxGxtQFwFx+6PiIpz70nifwRNME2etXmEOg4mYsccoqljPHDgMMSd+Og9UGc5GHLZAxsELCvF7xsAOkfrLOLEvKYXIR3JNqPnDgJN3VDRmrQdzC1l4WBkfUUiammyzeTZXvFNUR4ugycOWAMKo5Fk6m2NDJYp5icWlel3BizEzTgRNP1wki9PXlU4XrqjN5f/ov/iw99+KX09/StvZvv/+j9BAHc6/u9rniWnJ1gQb7lOdX0YBCGYVxn/yJ1nDkoPRgbM6zWF4gTfO73/2TsALy5jYa7CWypxbUGh8gqKZz2nrA/mwKmArABa6jqz+gk+qis5umf4t5bYzo/VvEoED6nG14x8fZ1RR87xYK1gHqaAshgp3Ap/D8Vb7TgJWLQmxtVbhVLgqypU4ttmPiffaA5sLAxVCGwLHop8H7hRe/raMpgpxhYv99/Mb0mhs/OjEH7IN8hAAi4fHO0MZoAlMNNZEOjJE3tY5bA9if2NfknnVCRtB+JnyrLWytOk9BpGHkHmg3J9tcW718nZ89els4eXKhavmHD9kyAcdObGnE78a1q0wWW/9SvCrk2eb9fT3eAcLYSzMY3mtgo4VJv8qOSCMIxoWLV9Mvf/HL9I//5ZW0hQbOoTmPOf8qONaNdWwb24fgGTyxS/2N61fTUzeupRdfeD49/dR1+FdaYnFvJtl3sLj6KauXocEmYQEQUmBSpGkS4Yy9pr3WveU0M40DiLR1IFBqZWk0+WJ7fbSB1c0MNFHedFO3SDBxKZw8FpRhaxevh8rCJpBVFwsMjXhdaObrcvYK8+Gh5CHEIOepIuRu6On5xPAKuErE+VCwtYCN44PQ+P1XGu94so9NEeS4RNXcB464cQbEnV2Ch7VKglwI0w1lMA7ITHM3+kaergJokMJ+CQ6mmlzYkSW/gGHBaGpRu+rYPmqPiRBmTCA0euNWXbvHhl64DbZdKDbpVstpxt1qYA1uWM32M3KQ3abryiXq0dDWt2+/h+n/Lgk55Bnw7TlMdCv0mz3qbDXVPzCa/vCPvw39d4lFM5B++sMfk0BfgfUgCw0guQFU6QGntoBpd7ECly9fSX/0h3+cLnN+29yOQxNGPRUWScxfJvPtgI3NDT5Y2SIjIb1oXaJNCP2c/fDUwKZ7HiPcRgR11BR2x6k9r+8ATwL/bmsEO/ofyGOTI1EiSqpuWOV3fYQp4Iydh3SgTbQXkgm7TCoyAmllt6H77IBTZqFUaAV2XOXcLJQcMEIrJ9xzXkONM3ec6PQzn+9D8wTZ1XlWmP0TAbJcvQUza/8Juz9KCbUR768U6WCPl3/ERPEWJgWKjf9sOu0kqRvVIHZnN0HIFMVCwfxgzDCTZWRqnLwGqSm3sbWOTNw3RudNI4CbYmC41eBEmSDDs1Zk7+FAKbxOnppZiyF+5xe+CyYAc16BxWhFE6GW0USEpjH5mtcOPPSJqZn04pe/hsBtpX/46d+HN28J054whYV1d+c2sKSeXn7py+mrX/1aBEkMx0cugpoRbGzDlTLsyRELQNvk5phuTWw/NXOtZTiuX7/O84T2cS7vzy+Eo6YgSysyrKmd/VfMLjzqog8ccOsE2CQkEV5ZlSPlJs8tL+7fFYpo3fQmyzG2zwaYFwfczpzCCM+JqQh44viJt09qQA3+a2XOtDA2Tzdhy9edbrW+elnxbywBT+Pxwb+zZ5/cv80RZAW4cQdnr5XnNVHebaQXUhmhpjhmsG1MKLYLfIwgmHrZBmZ2pdu/2F2R3OzcCJZciFrI9+sEjo2YLG/1r0zIaGga2wGYxmhaofvJKei9mEGrT9xc3YUi/JienkzXrl7B1D8VbIKcq6yJWkbGoIRjaXDCgcqBv50q0zfNh9B5q+HJz166ll7+2tcD2ty9+x73A2blnXeoqNDcP/vMF9MLL7zI4hkMbWoOiJhWKstORK1Qcr0DCArfWUd4xMKGwqUIxfdffulFHLaxtAjN5pYUC0Qyp1iwwoCscSGcO1l7ZtapjU+wXG4+6T04DUKqQ6gzW9zKlKgIXBz2E1GA7YFh/xAtgJ9T++7tZs1wfF6eOoqHW7u5JmAS2FiLGpjd7zzVyg0BbgitU+/vHyUKvvYkj+YIcuMKG3d0eicOrILsn2NMRCtO3iFtVPW23YHpCI1oLzgrRw7IL0BX8R7xGw4UE+Fuo8KDTjCnQQ81p4PfS7KLVRkuDrlUIYcOToXNX8SPm9uEeeGK1e52lrQ97Y2b1+Fur8SVWj6lWTWMbCSwY4BcZqiwbeg9NXaZ78xxHpsgmiNcJ7e6VsNCoEllZGQZrty4mb7xzW+lGuVQd9+7zcIE6ULvfZUE+O9881+yYM5BhWFFEAItk4s5h8a3GlvzbhW0+F0hswzfdFJZgmMWXRR1IkCWErlYzQ82X2WFSJv5GG4WbxWHVRtGQF3kDRwsh1xgDB31OuNYr2VJVDp3K6s2SN+IaKnCLE1nhM7PW8OohlZjyw4NwXz0jkylwgDnoxuYXLLKIWAFkMJFyGA0Zv5zf2yOIJ8K8OOrUe2gCPsveAzTK+bVWXPw5HW3iNlv8LO1sRET3Ua+g85YxhtzNv730/vk1rYATexKJLswQNKRgm02mimH62RnbcMFM6V4NPqSCFU8v4WwtKQLTPg4+RgDo0PhlOnkGL1awFk0JL44uEzCUC/Ym/31wMtRQYFZHgAXT00ZkrVBikELxAOIofD/v9Xd57tl53nf9zO994LBFGBQSIIURZmiZDUrTnHiS84f6ysv7BdxZCVWZNmRZZJmA0jU6Zg+g+k138+9ZrOZknyBc4hkAWfOOfvsvdZT7vK767Op57+V+r9xp+T1CFE5kuDON//gD9a+HJE/zUXHSFLDJ7NM4MWB78qVPqv/Ma+FtMpvf+fbaZ6rtbP93Z71yhi3O/KEHDhYWD334jsx6qY8EfpqSAv9i7/4v2IYgri+bjtr24XAQJYuEntl5Ok+KtmKxBUo2v7a1vD9yWmNxcCEkXkgHAbJFWixVYgwGvm97dGzLVHwtg6SfFb+SvcRGfW+8U4Nc9rfL+ZaH0JuPiRGO9OsfC0Ly9EvWhdpRcThrSTbg331HNtcZXOG0rVw72cS3llXSanppdwvz8KPggBcebuTUgeq9tBkkL+YK82G3UxicuZTdwfacBUah5Kqypf2lH+rX/LbSeRJPCo9UzOUTz7+cHCyxHNq/uoVZfC1iTqX6k6li9wZ18ESe/buLEMvCSVXYk5mJY2CHDPHxngro1Vp/7GjhzPM3syo+nTt1Knj3XfJJX5a2JpxpV3WNEcJNmmNhUB2JfU++ODMEPOO7v+kOWqb8H4SEn3sT+M4OAhud4zD3piLbXH8jTfXfieIQOqKfErs4dVhODOKESImhomf9/P+CFUxA41gPZx0pZkLW0DjFtrlo0rPuOXgeNDq5u0rGdG1/6IF951Y2ylK6hjW7JwNaYlwUZ9rHfpaEPJqz9vDruU3e+5r/a71IWSDNgPXEPMyDfTpDwj60YMk1OMIu8bZaxuUzWdclVAuo+pwRtuzsOOjWmRtCCdu2bMc/QWvKXykshEtfCengm9075q2ARlLMZDI4vQAjmH0orhXJYX3CXfvKEXybg2rr9y8Uo3ahbWzZ84N9j4aJoWnJcRIIP/jP/zDtfd+8uHa1gIwp06/MUyDYBpgjKUwtBOd6j7k9FAqGYS5W8eg5zHVq7kFb1Tz9tbrb40XRS1c5lME1HjKH5FR9uxpzVuS7NJDpUy+WWYaSPGgChDf95aAj5ilpe7MHfioKN73f/CjtTdiklcK2R/pBNjHRRS/Er5/lAfjytbLs+RC5yQyQr4XjALHNCXc8DSPUPfVEGf65rVGAk182DurhNldoQCC3pWmyB3eeuVujCFKaRv75WbHoR2PgJfkeVjcWkTMFT5gMEQs9L9KaJqtfrHby+6vCHlFGKt3vJzv60TIZmDgf/egRZGEhY/mk32eWn2a4bczKHEvotge8e6qfGJjRDjpiUkZ2BoGBkUm0T7pQbqTxJJveCEEC6RnPqzCQ6CEmpV1Rm2qsD589EC4+t40IHnYd2mRk5fRewQO/vHvfauebJtyyVVe1CZy4W1PGkqM4e1gXDKYTGs8AnkCLtXk72puPN4Oanhcekl26po778aVa/VM3j+EfDHG0dbr7Lmn+YKPT9SMQacRC68JybwvbIoJdSJCjLSKKORAr1x5N259Z+33f//3m8+R7nO+CN0rg+f3P6oUvyXXgIZ7jV94XGtJVc0W9TAmrUX6JpkoIt7Ys9kGjF/QSkAJTFP9wRi9E/GyCbyHxN2bppOuCqdPX+cMy1mMDN+FTP/u/X7xhr+PJH4til6fAyPjdvCh2b/4ao2bo8muyNtbAI0nD9TPJdWuX1m7fOHsnPT06aXzykM6dbMP9B5qn8NfDwYpj4wi3C9Kl/idwINWp/IKrrbZJOexKo5VLmzKPWXjGCyOSDjfMwQXXgkCyEXWQkoS/+7yD66fvRjk4P7LBZUk+qzc3Ov9vqe/vVoYm6q14dpfaYh9Ka8ERoOiYH7aQHDm4yo4vv2d7+Q7frN84+Nrb7x2um5Ct2cMmHFXKaISlBANA5QnQSdNuRRSPXkEHAqkUymGEdnU9Ui08r33P2z85RzncRGe/9pXf2sYTMIUw0ufkKkUD4ogXN4GuPhp7rb7GdTyuCVpKXkS9tY4fZLyY0SJQNaY0FAhzh2oyYzQv2qQzTuKPO6smKBnC1Nv6m+KipWPCamj0m7zC9dC4i2QRXK9eN/yy8v7d50kMs781dy5epVLbVtS1yKK199vIxACyLCKRDmEBXywsLrK82R81kYwtLxXArnleZKUfPo8n3CqFoMcLKvrtZOnpvBTQajmfKKC0f8ESfZP6dLCDCJYvBX3usftMPqDMDquO3vm/HhDnkTU9yMOBOXgyjsRsmQZlcdcheZpLDTMfA9aIBQEzpV3oGAJg5UPnEcFg8OtciJEGFdnW0v8mUOBwIsk5Mc1cLT5JKwzCB0DvCPo87u/qxpk29r3vv/DtX9bEObdH7+/9id//MfjP6cVcqbEcAy9fMiYjkekNYyqZ3w0EJi18unD6IxPPSzYIXfvlxAUg0iu2pR/X97GZzHz4Yj6tTdLRmptEfs0+45xGHrmbR3Gg9FPX8S1LjV7P5sIsn1Bui++rf5m7lIdMagz5LQG0LDExrGudaTcuLFQLTWZ/1aQgES0aAvx53vNbbYvl5SFp/40Jnkr1e0Ma4TDeyGXYF94k8EHPug0SVVzLZH0DCPHO4gM3ikM/jd/++1SIy9k9HyStPvqSH+DJOVXz+evJemMa1JLGxNDicX/4YcfdfKoZicxKhwdEZPwsKtuRHzXNwrOqF7xeZl3iEG/ZvAC42Js7jNSn3cDdJJqSjo6iVVuxSvN8Q/+8A+qWrm69m/+/C+af+NBrBGu+si4YKCJxora6kpT1VTc2PcEu6ZjU9CKkKBNELMo4dgZCQNeIMYszcdwfkVYvijnrj3lf7eOczjkaNwXsKI1slf9/wvXL/0aOXjlv3r1Fz7zeX5ZJ4n8S0P5FePWcXJDi6Qtq86SG5JW+0tn1JXd0typulrHRwSJSGWB8VqQBNThqMAMrx++++OIaFMHKX55JJagwfm8DidPnZhIn4Nbzp07O75lpT77M/gcNIlYvVeDmI8/OpNkvFaH0M/W/vSP/6j2sm933t7xZGcbE7ZUmipqtjd1v6cx21yBFa4+6aFbqgAnfVWv3K7ESW0eBnoU4T5Oeto7ZwTqrAk+DHMWdp9WBGFcvnBNHPVilu/Bs4IodeHkkVGk+5d/9dep+Pdqyvil3GcHc82dWHv1K6+t/Yv/9c/W/uRP/kndlL67pHhmJIMv/O8uhp8Epi2Nc1sRONpBtJBWmChrwqShDrF6XVqAOsFrnZ2NmA8dqp3WiZOF6o+NwUv2/vTyiJ++8F8T8U/f9xv44TdDyC8mspq37zdyG+k9sYRri/HnR752+dL4UB+Uy8CY2JnkJK0keGvZNK1PSadgwJbNt8dY+2ZZZMqoPv7k7EiUP/mjP1rb26LfTxrLU35QHZ5uQnJv5fB+VOI97Kmmr1uPJDtYEenbb71VEvvuThr91ppKZN3z74RF91aWdCeYcCXfNnXtWlyBGaSMngiEhNQGVwdLbW0dDYYg5C0IC8uX0HVf2dHHn3w0Pmx1d853tgZb8t5seSDCxqjcMoTEGKUx3kzDvHH6jfD88YoGPi7ZvwBG4/okRvxGRLmXIVlw4/e+9fuhB2tUIKnv3JdP6zV3Hz7uYMwpKp3Rp11eMBfB6EDMOeZihEZZf43h4CHSmGYokSlsTOOda00OPK4P9LGObutvccEwJDiTM2ZsoLn9F/TP+hDyimJnUljWC8vlJ18HIpR2uZ+CDy3G9rDqgWcFHyI2KlV2hSDDYLAk8ZZZrCRjC8jw25ERR0J/+7vfn4LUf/rf/ZO1/SdfW7t17tza3/7lX06lw+PUqWOAeTTgRBFB0lue8/NU9cMafL+aG4sql5T+Z//iz9Y+ev+jta//9jfCyGeHyB8+c/5f2DHJLi94W8+9PY1iwvJxgmwyARseEk1kEBqX194gBPwp+nYvyPLayZPTLEXJPWmo7QHNAEIsRt7dNI3eHvuHQUEVLWmdm72jdXCuye58yJcv16EpBv9O8/4gpvzm7xyY01RJf14V68fPLXrpu7Kxqy34g8Zv5bkuQQl6xkaAaim7fs5HHxGTzvpH85fLpeb90Ydj+44gXQQ9WmhzOR4xzyCL+eiyqy+UQK/85q/18VrQN8Sd+S3//Nz31SRRZgua5GAAPUfAwYlLdR66knS7d7v6s6dLeQ9jTTiaS4iqlE+LGDyD3/edsKzn/OTdn9SY5b3JEJs0xDZyE2OpKB51rkHg/qQirAu26O1LmvrbqwVApILO5mfcfP+HP1jgRdKedHJ5H2lMM5DOGIKRpHHM+x98OP5k45jeG33nBptO8L3/1MkT9WF+oyDJiYEUigz682TjwbVaICBeRytsTUqrJqeJGIg7w9rH0zKHghyqOXRS4h40BkEhx465VDPr7eycb/dT2/hqCfzOy7tw5tzamU/OtYZJ4LSRbqQO2ZS9pvyM8QeD8wRJRHLO3tYtVVX3u6Xek+TfWlBo667FBbehe+MFOdiiijxJ5vPL1//PvRZN56eTWknkn/8eDSLgkcj5KKxARCdRm1tJcvyOumA+vHs9wongkqSPCzA8e166YZKABH/91Km1b/7uN8unuJ+76+O1H/3gR0NMCFPUb8mpTTXmymJkkZ57uo8qECPZXD4t//KRJB0pcyuPh5OM9iSFQAGSl9eED5mEcim1x0CISDad/hbux/sgCHM47AoOPGP99x5SC0OdLBuPN+Z899etX0mV804YnaqwYdqdvS9aGr82o+9JyUOKTkEqY9cchjdHXskkRDUXUU1+YZE4MEZSPqbaXvRO+Fh08XJdNk9XaX789dOtxf617/+o1rSNT5swkpgbjiFrLZR3eW1zmPpB3p56Fc3v+l/IOtT5aFt7ZbvsWS/PdwzrtS/yWh9o8V/NaEXErdJctkQ4o9fn/37qT6JDyuSdqPm8KotnT9voFvdOLrHt5RFs2lI0LPX725UHvVLRJAK+eOHC2ieVvzuFiaG0t4Z+NlfuwuNHuaOSvLLUhG937izAQgJHbDDe1jZzV8cVuLi7du+q9D3YwrB7pbA0VT2FmeMRWJKKeDauhpcv98Www7GaxGhvC3qQ2I7BZSjJHxZ11AtaeqnOSDfybFxozPq2OXTdia28MKSwFZAe6bTSkba5wBhnPB5LgjwXT1K7iCCjF1MjdIlGsvj0ecPAInkadguKkM6XMmqPHv2k3Io31r71rd8bKON4i7tF/jDYk2flVzfWZ0l40tjXc+G9PP2iqVKOGNujZGOQ1W4SKHOqEw78gq/fECGbpemvvvpxuLmNSepQ0bAmyXKr4lJ4VG6C7LJt2/mKG2aUrofFK0XoJJ7/zd/+5/EPczSRcNZSttrNm3XxaTMRlfM+4FVuJC6np+3Ejl31b0sCScM8nAbggegNg4NPJuUfZigdI70jQL5ueNLNZ8OT3KJ4TkuSkQcHOxKNsUUiqjvkrTiWWrbpRw/XRipNc2Hjp1M3pwyJ20922ZRx9Z5HEdu4EyNaVTF+xszbYjSEgpBkmZH6opR3Wh9wQ84xW0KBAIz/QdBm3IoZtVc+rWVv44GPuThpiavlMT97vjk/+INJqj99+o3w9+VxzS0S/2bP0ohFXjMJHSzruVurIbRZiNw6wf2qbjZ0qBDIZYzEsZ39Iq91I2QT+0U+9crq68WU6aPh5og5OCFyJcHFYks53FLUaOeufUXpajMbAfM6fJDlLjlcq1QbdCPvBOkmr5ek2rVLrsLSQf7WTdlb1e2lwqn6zannfdXF7Ur6TN+ysDb/642wuSMGTm18bY6A8H4ROoETZ/Yp5blTfgNiJiGVWe06sHPwraJWTMhNJsPu4fa6CQUTuA15NTDCO1/+yhC0+xwup0OLMPh3ch2S3AIs00UoIoFdEfPziI7bcXPSEY7dUeUJnkNMIou0hV8xkRAzyfzhBx/EPEvdH6OWP5nvXMfO+/WS1jhRqwOh9MNHDiXFNfPOQE2S739xX/c0dnNVNvb0mYMrMXL6cgsPR96Y7r2DNOYqnf1rZ2dsv7znL/b5N/BtXQjZnFwv5vbiJ7/97C9CqbgeISuZYSyQPBrhbd+ZZHre4SsFRTjx5dheunK9lEtYUNFkyUQhOJGrBeOp4RuYnVRUKq8KQtuAGKQooHo/TUWmoXefP5aEPnXqdATiuLAOraxBto3XOMZxDjuSajfLidZuy4gnYBDhLL7k/RH44pflBw4dpniX6m4lWQIL2yNOLb7cU16Ivm6SaXa88CWzAVSnMO50POIZcIEofMo+Qwjc6T2Ielu/6zmhsMB7heMvfXppEpJAgv/nb/4mbK/j6P386u/OOShSMre2dop6jetJZWQAnc+yD7SyvZPQ0CsOQVvTu9kAj4HkIJ79EEHFnMjT58CmpTC498RMO3uPJK4Bii+2lmz6Iq51IeS/fyILQct55ZCHwxyFgIiVzexKGnBlbYrFJQ9R1aDElc7Ou1Oxqs6djhB7XNokC51UFq171qHiMKGG4PIWwItN21LN4WBlRAw2uQcI3D2pdxvvtCWeB4RiQxb3WLnSEeMwTEOkSmW7Ta1buJYhtWpb4OwOwZmFePNmJJ3dn2/b+wVRHoMMSU6VFjtLCmJY7X+8d5jEERCr6Jq5jKsrnI4gGFPLa4ivqpSkJK21rbVBVJjQPGmIj7MTaBDlSZevXFl7NQJ1TJkDb9S1vFpu812FpN0TI7EjSN6rEvOfiPTVMajXEHnDz315fwSA7DzvNSClaY861lj0D6TYEuzYGMRYdrQb88f59gVcv0FCXqa7SOVIhkqaSfd6GzNYtRfgsm0t0oYWmRr/LMl4JV/qrfy8Kkccyetgxgkx54lXZSLPQS7GZI11X7iSWtdhKJi8lgu0v2WV9z4GHuNJNpmMrmsZXwhJ0+7bMcrB3HNwMHec4weWyGJ9iwuFj7TFGBET+ILAEbRACv82CasCBOwxNeOS93E/BkMMXGq8NZtjVJid5GXwjipPw0z4nZRrPPy9ql6sDSOWZ4UrT2DGvXguPszY5YN+4/RrszY8CSeTrp9VVABT370nm66TsZK0OuA7mliljNySHeU8W0P3VczLfjB2lTWEMi+OihbMDfo4CF5wh0HO8GMUg0f6WSByY19gxmzqb5yU14mQgX9Kd/ah71HSzO9nxAxOSFNECK7kaRKsdMFnGU1x/KMqLe5neau0uBUOFrHangQPNpdqWYlT2WnawTqSi/R0bdpUPsS42upT0SaRiE+SKLAeNbkhApD2ePTogbBwzHEradXm6LrzvM2+X9LQ0erqNtaV/UBlTTeeXEvqBBNqLSvRRlBlqRyuQPVePuXG6/jdzf1toEM1bSOtTamN3RyRbOxvigEQGZ+vgIU2WrCv7DN954yPoZigH2aYk16RTNKW3zfdUjLTvfEnX790rnHfHjhw60qH6MCsVDAANQAAQABJREFUn+1b++pX3swbIpKZ+7FgC+yrnZe+GtuCL/Axac078qxyLH55klnvPDbBzdZiaxXnClxpjx0x57btpchmLG/svdsau4ANl6CtXAzbF3EAQin1sZh8s9G2Y9ny+Wn9/1kfQl6E7MxEWvIydf6FfqqcZ3UxHOZEot7EGnZMro7zOkleP//J2oNyD+Trbt8Yvt1mY4tQRdCMm6eFdRkujx8nDfq+aZNuntvahCJcSUIJ36JXG7cJuLTEMYyDXV5//eRY5hNSPnemTd+3tudkHTzLZ3gSLHgcwWwJpqxV79fdIjhHOMQkEd+2NAG8LGWSajcTkmks/AYnmUbQxnl0PAE7qmxuAkm/PWOc6cyzKS3D5+wzKlBS3BE/HF7eRiQbvUclGFx7sCBUKmXDk115Ii4l3TM+z5+dzLnrVy6ufenttzrGYfPamY/er8r6y2PonT17biSuyCGIdjNCTJ6u7SzByoGRj2ttC1ZtpB0iPkbc49ZPb2YFD3crKuDxkZB1rM9tTohMIEoyV8TMOKaZaKX7E5kM12vcmL2xMvzs78/I2W/rf60PITeLv3MiQ8epqCEOOFLqsdBqEnEiZrm8SK1Uq4jXhixmqjY6GiueFLHZsrgYVNIbi6HlX5apteA1UnNCr73XPahuWWSvd2QZ1Xnh/KXZbF4BRCUT7IM6BslM44u1UQ5w97mNfcHWGzd0FG/vJZURMWy6JwkmWthUGhPC8BNE2vf+R/CD/YNLz2NErrjnnRjlPhbIHB9Wy6fUfjwtSUNBFGuCwa8UqePrvRUGv1V7L6dgkZZuzs+MuSL9+f3TCF1B76kSjT4uEUpB7+E8PYiQi84RyYJNximnejFCd4+XSKTztY41s2bGxnM0c485j5fXbV1Vj5C4cqNpH0wgw29T42PjbGvNlbfRPF/EtT6E/Eszsb021kIsmz2vDDF4nQNfWc7gzogP4XBVcR1JPPdl8TYnFSYHOQJgbNzPZcb1pWoaPpWsI7InKUa0zKZQ3/zUjt3SCFEiENUstxiDyNsgoUCSnaVGXrl6pSHllQi/8lwc2fpKhPso3NkJoD1DuNffEaVqFV6FFb6ndgfnNl0bCsuKmm0KEm17nuTtdVCCUWQtbLk58yiAEzwwt9MmSyqmfmv3KsS9vna192xrHmyGr3/9a2v/x5//RbkbJyYC+dWvLammIo3WROXJsULyF6o9RJBwtTGAEvrgcbttub11DN0WaBjH5zSH0QBdeiocfSuYxcB9NULWXHHP8+BHTWSW9NQCNH2mSaY5Fu0B+3MLEipfxLXuhLwQMTFMTtm8fiaRmriNuduiIRi+YZhQwSm1JXr2+LNbEVoSICliw/ldGSgPeq/2qkK5CNkzSA33cwopl5CGJInztU3BBAwhcZ11f/vWpT6/tBEAC/SPk3QPhhijzvfOCyF5nNex/bNacsVImhLCl/C4AAT1Ox6DxuB4CGwqEZ001cjEXNxncaWFctt4HhUM6TmMrEeNQ7dRxKCWjhYAneBxZ31g8DlIqCDN9iqY5U47uUrfOrnOZwto4AZRPd4Hnel5HxzVRqsg7h1pLsdM6FDksBvQ6K033li7mX3xyZmz03ZMYEd+yN59eXZaxztJc7bJeExac+tMo80RvgWraEKEDFNrVUAY/Iyhm94XcK1zYr0ZvSDiiBcRj1rtO3x8J0K9VjDDuRoIWEKQxeKrfJA1/pDrKALmWx0ruc8oTZd8r1KaRGE5201Mwpq2oNQ5I4j08N3GnkyCgQQXam4y50JHiOAJK/+DDz+c+8hz/v4PfjiM8+rxY+N+c8Koe1wqbwEUcbjMRB4bl+eORO95Np0WQdQkPB+zAgEE73VEv/J2GJcQsmOLr3Z/Et/v8o7vVmTqs1yTGAzdy34jWQWEPEd3zQ8/qjC21zGGcL0iVdoANJly//zI4IC/e9+4CyNS+SLOw3MPXhHh7ZXmADskRHkP4SAQQ4N6rkghJtEAh2DgI7fWfONL5Ytj5BiKuep+1QVy+GrNlq9f9abP/9o6S2TLsXz9lIiDBYjbMWDcXNfCgfAxCUhKI1y5uPAlIgA5SAAMgJAYFLwRiAuUIGWpcZEtG2SBn0cEYIBHa2hIinG5SaZ31MIkj5dfIAKn2cm5c8qadLhMTdIWrbU6N0R8rhzjV/Md3y1fwnOu5KO9fbPGKaAAxmmzn+7LMIz4QBoYVuiWMaeTZbeZqmRaiHtPgAFUMnd+6uWsvCV65z3j62ZENfzYeqAMhtVAhUtNwek3v/mNniXQsms0j7VAXEL1vBXn6yjq0By5HKCJObMbEBzf9PWkLaJ/5513hhjffe/HdQf9R/MaqT/ar/eBTzxLGobTTuCYVFIGsrwRh2aqgFG9sksudYz7q69uNnTwq//6Ml5dF0I2bAP333xHHPO1EDGiJHFUCuvzsGPbnjalSFTEayO39/1c0ppk0EuCUYRo+WG1hiK11KohTv5ekkRwQ/6DSgtSiEqHR0+E8SS0CzlfKDdYXR/JyLMBppBkCFgm2/NyOaRR8pQsRwJ/PIbRwQhEL4reOGMUMaMDuP8uJuVE6XaVhM6NRcqNiy4icHAjgiapQIlPq7j2LHhctbX5SXa6FxEeqmnM3gjzUcnrjKapLokoYf1p5BjTyIMgIcEUSU3sAYn4JO/hbABrDBfTHphRgITn4rMYAxQgQXUdEtFEdNoU8B1/83d+Z+0n778/XUgxGWaT98FzAs7RKG7otNZHD9I+SWaZd/zwMubAIb3wdu9NGFknD//ptSLi1fef/uGl/rAuhLyQ8BIU8PMQAbJu0xkyJK9NhTtVDYMOTx7x+yqaXKJz00396b6k0N0WXTPvcFyYT5WE8Oubb7yeNLsx0tliYgBYTwCCFQ4Lakk7Jf9Jy4/6HFhAqt+FQ0m0iE49nCT0C0lewQXSyAZSpbeSXAIXpLMTixDQ4br0IC493WDnaxEOwryXdH/4oN7DETQmAiUQMSmusBUB6qBE4sPENh+8elat3gZ5FRHts6cvsuhy8wkAaTLo8HVaRikVQiQhMQqvgnuyBTAxD8WZs2dbPxrt4dQNigQySB1lDHZhKFL8wMFyL14w/lo5QZ/d6Yzt5vf+Tz5ovHmE+gytJ0LKeOOpIZ3ZIxdvn2+tLrTWB9ZeefVEp0V1am0eEQzjtNqfNq35BTLtpo11LvS8Dtf6EHILqJPNuIdQJw7NjSZP4m6SVmqhv8HENpp0I+241u60qBLpN7QoW/sYQurDlfnfmvdSjyQZXGfBVWTodMOyljYpCvXx99/NENle+c83hpCXxPePpkaPFAcHBCdc8LJ76RrPwyFPGOM4t0Qg4xtff6cx3Rs3lCRzn+cBkFcMRvishir6cUzK6HYYPqJ/QcSmBkLIptPZBwaV3fYEhm0dGHUYRTOWHl8C/rH2/NnameyGXUlNWmrpf1wiU2NFsHAtAww+P3PmXMzT8yI0zyRJYXjJRHpdLGHr4EQah1fFeBEl45iWcIqqPfjv/vSfrP3Lf/m/DbP/zjd+ezSS9wjx02g8P5s2gB1BurwXMgOj2gUjl/5KQNxLM0jA7+X52yxw/2A49zIvTIhZXva1TsZeu5eKQcMjjZsESfsgvHsvNXe/heZMJ5lY7dcLBfODautKaZPG1BtsJpyqauTDDz9pM26kCgvbRh36tNFiDBC5vhbp0KHDQYXLbdTWta//Vv3Wur/DXkiod9/9cZv8bH63cSCEU++vXL46+FKVxOFgi3CthX/7rdNtSOHZCFeTQN2EGKEMn8lGi3hgbRpG+1pj8v+KMZe5pXbDtQhniKfxdPOBA4pDnxVpkxRF+iFyuRHxd+tUrWCEz64wdxE11RuEmuQdjWjYAAxdUhqsuNj6YSxGIRjB02O+IMCxFwfeCCBJtkf88DStoS2Bwtjvfe/7a//LP/ufIu6Ha9/97vcGX3PxqUHkIfIeFEjzYQYCBcM2pNaZ/156AZfpUoL2y9RqTV3GbY1e9rUuEtk4bc5I2iZASlCd3GM2ifuMgaAU53hY70QRtyH6lkOHHuX0V3MtMXZIAAfAkD4OeFEfR3K+efr1MN2htZ/8+MOs9g5dTBJ/8OFH9UkrR7gkfB4JXYVY6zpVWkieDkzCrztNwCNS0hfBkook2969ciUiziTmqZPHc0UlTSNkZ8xNNO5ukbb2RG/gLWHpsd77rDDzk/JAUNv4VHsPyc1QBYsQNihhXTYHHUj7zmWLcEr86fOgwoaYkWSeI4mb4+4MKimYjlFgyBJ143OP+Q8VWr51/vZUw1DrJDSDs8ePZOYug6ntAmlJWhvLBwV+MLgWAY4BJrElOQnK/Kt/9a/X1D4iM0fD3U6Kn0hT0SjXrtaSq+djEFpicgXa10dplXsTbi+xCWHHPMZJi3r/6loP4l3d2/d1IeTlAThw+ULQq6/Va9IHb6cileJfr8sQA8fGzSGIbdwrJaXni8s5f3vttaJVggUIHOZ+4/TJUYu3kp4gwfkqLngtjvhMF0NNBphIHgKE6dS7kSSMIdKRi8o6H40ZqG5EzG1G+iJ6kkvSD5w4UKfn7skgBY8QZMpl0jP5iuHPdnCmJqsvd/FIwwX35gmJkB5EsHKuGU6PqpjGTBjV/fVxhjN5QnhsousIFuzYFsO+NrDq4pWbY6BJThqJHVPf+0nenjQUvy+jbdR/UhZh6mQKGyNayU/cZKTz9u5588aD0VCk91tvnp613Jr3h/T/9ne+u/b73/rm9OewZ9eu5n5MCu/LW2Fd5HULaRfyTKBIOc27FMPMibWtAc3IhaqiZSV415uI7fm6EDJiY9TwSpiMLyplCSBk2DT5O8EGC/VqEvloKp3Rx29KhffhtbtJYh4Lbp6PPvl4IMaKCah/6vajUhf5ULv7qDpW/JU27c/++T+P6D8dCHAx4nd2HGkuGd0RDA5JtwF+t7kaq2juYsO4r6juM+fONa5DQ6C3wquYzJFpG8sroLpF85xt0tRG2+AKc0SESz1ixNTfN9bsz7wFaoaZWxdpqPO5KB7xnj9zZubDsKXqD9V7gyo/U6gZFlcEsKxjd4iYeFz0qWD4TctdryX9aQUhajWLQtu8FSSkyB5jVV60pjN/WxMajHPgIJfj0/mZ98axFOdLPHol5n7llVJAw/M6ISleaMLDLMYdD7ap/seIEW6SmSByjTHf36yFsf4miNhz14WQh+BMsP9mxn2fTUTYL15BSIynR0kgJUnU3gQwChZMpKxF4GXgDvKZ3aly1jmX2kjMzv7wO5UpueZKifcw4ze+/ltJlk+nLIrRo5werjufd4KbDOR41oax4BlPXHU2E1zxLBqAT9bf9r5xusy7mplEIEv5Pv/2lmnzyitC3T+oyyX/zPiPB+E32OaLoCegUKbZXYGdxsA7I+IHToyLMEy5aUONacr/uJrkkxNBgiKMSYwXzm4dQJvHnYU9/uluDKJ5n7GYB7x6t0oO3hNj5anRoFytIA+M2j6nTfGosAveSArLlOOnnzzrxnQyn/PF3HGH2Q0JA5DPZzEjZgcvuDe5LKeBYZoBBqetdOXcyN2pur3PyL2gFXTmXxHyL3+3Si/zWhdChsts1FxNCE6d9lCpZGFZX4u04m4rI6uNQZwwmxar8GTL8uLjLUwLIurGXXapAAoDhD/5dGr308tXBu8yJh1AI1x75fLiUfjeD94foxChSqKB1aUt+sIdIMgYbD0bZncSKMnnZ9jZHDAKojIbljfCAhn6NgasbDAE6hnmEEX3OfkUvbX3mzdNQVJhQj5xjQQtD6kLH+8KL1+8KOei01f72b2uJwURjdxqGHcYzvMbDwghyd3faBuMYD15Lq7knz6S0UtQmJvPITaSXmqmsZ1+/fVhVLnNhIdgD0LWqNEYSNlvf/e7071J6JtrzgFBy3oVLdyUCzVP0fNNBYQKioxmiMh5QcqNmjWyFvPjrMSLfyzuOl3rQsjGCgE2oxZlST4nhUhdUk+EShm/HhL7w153N9ZbuMUezBXuIpHuFPSQHzAEksxzGimJS1rqZgkP6xhkYxgVVKx2V0LQTnISzfrgg1xueTf4mW0OFWtMDBiRRK+RqjCzM0pEACWiX0QceUM0bQEeYEluusn7SGVepWrbFOVAsC5pQ0I+q4OgvaJW7SKf9OLlyP/QH/hjETQvAGaQX4EAaQ7G7OHDdfXpPSQs6UpCk+qCI/cyMkHTzUEC9yf5EJjWBeCQ9UM415Km1gY8uvX09jRZ6eUI3BEXHTXcvfngdWj6OMh27cq1jOMlYd8ZgCcKMAnSmIBq77ffemMgHB8+/zg45kQphLyjvTuwc2/jXfzO5trmzbpa2/UjWzP6xetnZuUvvv7r/SYOmirs4Oi+2ryS2x+m/u/mAXDwTQ7NkuMruYmwEav+wK1MC8CllLrKoLqRlLh151aSZzkYR8snGw6fcrq/+94HBTO0ZO386F1LUz6S6NLFyyONZKvdzPfs2VsidIefH8iSPxSB6gr/WbnOV4Mg90qkCaw0riJaPCLOBenLmdES2mczSj7a0IBJr9tJa4YngtMONjobw4y70O9R2FjyNxTEjrQriyzvhgy3kHJeiRsxctl3lW9du3Y5Q/RcTNqREHVcguP5m/mq96cdDlQoSwjfrubQEW6bY4ZtSXzG1fZghaCJHGXV43t5Y1pF874drkb8zvq73zoi1OMZ189b7xsl4z9OIzxpvieyL2TVMSxpQUw2kc6+k67ypSUfnTh5fIJI0xSyMThyYiKzUY/5bx7DVXidxq3dQoMeewJX464uyspcfF+Pa50IGUaKPJ72vWoLdWyPO8KASGEdM+I2v5CiDAoFoqx5PsiN5Svg9onm1XfNEV3U5FRLtBJCzNeu3ixjTgHqxlxzZXSF/5Tlk9Ayw6hSkSvS1KHkh3K7HSo/4EBfh6qh4w1AZOrZVFQ8a9N2JN0wmGMOdkTEzzXGLj9Yxpq+yoiX29D74f0tNV4EFRC6k5jappG+PArTNaj3jCsqonBmncJZRM4eSH73GdI6l1o/b8TVfZ7lD6bA2ypc9CXeGu6UIMGY0vSxAc0JpfzQjo/g5bmbhIeNt8Tkc7hmxGxkcoQdPG89hP0x1M20iXNaaEPMC675G9ff9RhC/zoQCkwRufzk3Nn5/VhJVLtiNCN1mOWUSiXdzVFsAAEnstpzRi3G743e2wdGGPTzehGx56wPIRu5r1SrlEmbyziazju5hBCLDvL8unoxcAnxhWJgeMsCwp5ghE0lHWA9ndLd2GunXzs50ou1frnN+drX3hkVKFLWkk141/1Y5w7NkVCvYaBkG1DC5bv3w3PU9ae57HznpoPrMRec6YtRBea4JnGp8YwLjVRqPP62NC9cpJixgxuOT7MW1L/vy7PADKHnkvP7uyAPzwaIIuKJcf0ddICZQRrfEbpavgflPFgDPumGMZKUx8e4+Mkl+MjBEHq3PlcyJI2PPxsGBvHUQsLq1siY4PGjR4IkCRO4ns+cP10kUvN07koeJvWGKNLYV1CNVuUzpy2/qGvdMDJispGwMaxosRhOJMbWpJkiUpv9+FGVuLEvQ6ytngVahbYtFuu3tR4m2LCjwMMmiUFbJqfCAh6rsxAxgRjgQoYaDwRMa7NJdj3OwILBsT3HRozh9uJ53G78swxCDMdDcqMWswidxgArPASBo0bPIbHmwQ3O+KhgmFd5v3EjHAx4+NCR/hasYIz1jMklaU6Y13vgYd9XRIyA4OKlslw4l6tvSR5i9MGh1tKz+ZD9jBhlCWpuiLh05GdqsSVgcNrpzpYgTi47hqFTVcEAFd6f5PoTmSNIGHMLk6pMb1ytFTcq41qkcX9Qh4BB2CvG1loMFDP+0UCN7Iu41o+Qgf5UjAVfrP82JHWtBk2V8Rg8Ebi/TXlPhtLzLcsGb9iwN8ITLas7/YbcVkkmC6crpk2z8XPWXL/oTvQ//4///doPf/ijAidL1cSxrG8SzkZuq0hV1AskIJ30ZZbC6D/XVE5soS1UNJcOGnNwd507WwgcJIgIfUZOLyJBpAgZ8yF6LVkZoQtxLWMzn5UWGRdZc6YZSFAMhjgcJWZ9lrWRzwxvhz17j2dEvfitMXDX5Q2IYMxdngXiF773Xh09CQrhZ4zKyDJ34XRS3JETmJbr8XHjElFU80j9b7mnFKueIYW3HX286SHsq24vw7sxgA8MxysZlNyb2t6COxhfYhZMbcwKXPXnWwmHWdjf8D/rpAsWibGSFhaWRLKBwsY3JdL3HxVKqnCtIXhhUxLHxvjdwlDxqw0GO7zGQ3E1a5uflKrcn7QQHLFp3kOSeCY1S3ojmGXxl1pABIEIxs/bUGWM2WhuQTkL3u/kVZLYHIydep8AjXumSUgg/R3Uv4Ee5uKZ421JMiNChE9ruIczQeRzCMjwx5Lu3G/uIxmd12K1TggZs62EgAijgyXNVQifT1dSvrUCD6xJ9B4ha1GgLKrUTZ6R1uJg6aG8EULd7j+YP+0BkytqOFRwSFj/dslc1srhOww5nZdETjGs80IIA7WV9sJh9oerOpnql9YSk2O04bTu/EVc60fIES2OFbL1Pb0zEoOKJ/WWTWL1IhjyYVHFiAmu5iudJiepY4sJM4rxgxraoiJGUbFv/aPfXvtP3/5O/uNjSfm8HDGD5HcJSjCl53P5uecEByKSntjrGGWBBAgR3SAqapjkJrlIOARKAns+OIEBjOFJ90VIpKVnIJrBnjEX3yvjEOOSwBhFedTd0jkn7D1MWtAjyYrY5TmMtI/QSEKYGzEj9iV/ApNndGLStIDkKusJyljHldE5k+h3hEhgGBM3owCJnGqtE9QrMoplDV4u4ATXny6Ur6sot5v5MZAxrYuwcP8JysSA5qtI92B+fEJortaOUFjZHsuLv9l/14eQmxhfMKMBJmTogBQ23AbwLd/JtWZD5ACLVNkQhLpkevFgSKyp0XQ1YYhIeJVao4r953R7ElhzEoT7T//0j0cqw7n8vDYSPichbyVdEChJ7RLK5Vuek4v6jtAYVpJsYEWf3d+5Iz5vHAjNcxE24gU3fAahIHREx+crOWkFe6h8HgPEhYkwCfxOOpNqMvJgeERmzgIj/luYdkkPFXnzd5KUv3sCKe0YXzGmQpA8KMsxxwtzsw+M0zgmIBPTd+vWUAusBcfDwjwr02qgvxnTZN4lMJYIa11IYzKVIOZoXMZMiw58wPTGSw28uKwBYv6irvXByGFL6nmOAiAZWjiuJ74YkgohSMJG1NvCpkMMbbRT5gMaoya5cdq/Pld/iCTJ02eLlc4QIxE17+b7JPFgYgQDHthEG75/z6ttwuI1IblIahBh8UAoN3o00S5SmgQk5VVaUKH36tCzv8AAy9/Y2se570Qn80vbTBrDd39//LhU1AwihqGsOm2t/Pygfhy8FovERwSkZVK9TZ/zUVoTkGLgUBBqBWMWo3JhOuNB8CAMRgBLzLHlmvnuuAs761+8HNXmfg9aV4wxha09Y7LwaKW+nBRgLaRxgm1C0gJRb7/95qSwytMwTuO2HgSDOWEqY/dghQkDh2LAzJ15/tgEuQmFnBraz66f+8WY1+v6XIRswf++i5RgdDwumCEJ/umT8idaWOFZxIWQWdOIGz5GDFxuY9S0OIpLOdW1epJs49hamzA1Y+HKbj9Y8ZvBih/+8N1CsgfX3vvxe3NvUGVfdXrUnP5lk5XVBywiIrhWhIvbj2tJYhHiBiOo1CHKpPLBg52Xl4+Z5sCQ1Lo9sMEsfEaez7tILBJf6b6/Xy2iaHzeww/NQ+AFxOoICLjdc0hLBL4tQiWFH7ZWpOikhUa4GG2RuMvuWy9VIoicmwwEQeTgAG31MMahBTD6s+awvTEvlR/bSx66OxmCwv9ccoxAWHuqX17Mn6ErSiiBSkBmIMYLeMEjJK96awQtq+1pjHr4UB1Ew853ag6pWxMpj6o1esFYs+CzQss/q5eW2fzcH17Sj5+LkP/BZw+ha0jCLaO2LfjQRgsMOILsxPETWdXlM6SySVuLKssLkezekHUfMT6n/qvM0JGS094CIAL4lcrXVAX+IyW1af3ggw8j4GreInxq23vkCz+qAQoV6n0CL1fbcD5TPtVxzzWeh3kebCDjS8K9DDx1ezacCke0DlMcdY2H+8LMmHUYLKmF8BaX3OIJuXzlcoStwSGvyaZOSVKtrPo7f3a5G4w39/WevfKVu9fNxraCBQSAll63w6i8CDQHWIPpaJ7YqjmCLMsaq8j5tAw28IxQMJeNIqytOc0lldM9dt/eWU5FTce7j1wNaw8/3w0jf+VLb00VjY6kPBvHK2XSpBGzSgoaAm3yY0A3fwyugNdpUDsLVaes5rJEv+lrfQi59YPVlmJJzakLN9drTfRo756wVwQpEGCDEQeiszgMHl/6jV0RPi40K2EHfPi035VCMUL0NntFE5LyKhC4yo73P6j648ihwtL5ONtwLahE/hgqpJkcgaV2DlrJyk9E3MgqlycAD1OlUkZ5J3S75x7kaYCruQuNc/U5RLxyvVHb7ABgylh88apo2zoqv78/f64NbCc75UEAK7xO8qp+QWgI2SWbjwrfsqVwfkys0aJuoTtLxN9beJ0/XCUJIperLRmJBEb8xgbby6OGc62pxo5HSpASCNrTZ2mBkTGN9XjEfLexweCTJtCYJeuDHBKR2CWkKBuBIfhUp6T2ZosIaJQKXjyMEbfnUjXuR1HxZg1emscvaGxMb3IWZh2vn6H1l/gQm67ZyKQm1upp0hjjat4Li+xvVD9ppBJZ/oJ4v9cZTaSE4lDETmohQNcrJfUIgKjNo/7OnD03ubOWikEDczNCQAuSHswgiUXCxmvRLsJ5q86ZFpd0ZgiRfIxEnz98+NAQtHxeGHECBb2XREWIiHsxYmOY5uV1ktLzFoOSQZfxY46NCTF4/yqIQGP4Owkrtxqjc+XN2sS8PAswsQy360EhvnL3OJmBS+UfPrRUloASfl9OdOIbXhvNYj0Y0iJ81pyQWFxwQYbmZ41pOmVcGtd4DXyQaCXfg1SXuukIuekvbTwxlr3A+B4k4mceXHjmuEpe+gUitiV9Lf/44Rd+XF54Sf+ui0S2SWDA00dh23u1Y01SlNDQ17Ko3FlXUr3i/TYYkV1tQRwXy8XEL3kiiYFolPHvDTLwUpCal5M4MjyVziOgL3/57bWPP/54AgC32njSV+L8dL9PUuhYdKWc4jRxRFv3njHyqo4OyzkSl6tsx/Zjwxy0CNx6oQNlNgctuJkc1Ws+sLRrxtuYMAjJCk7YXFa9Ak/Qxs8k6CrI4VkwLWJ8UucjBi/NQ+SpTuHtGD9y7yHhHweBGIsMyju5EVVaHy7Z/kC5J5evXJkTosCNFUNgJhg8jhxJvC+/sbUzZo4FxAxGPdlYNK9xqfJ4Pyj2zd/5xmQHCi3TEBoa8g3r9Sw/41bZcgp7CZxJCGotSPT53fM2cjtmGLY/W7bUt7nPun6emOfn5onJfLYf1+VaF0I2YngXp3L5cN6fO3c2wq5+rYVUASGVkDF3+fzlwbdXIigq2eExR/NC2NCrn3a4S4v8NALkf72dpAcR5M5yk3HeU9d/9VcXRupQsVQzAiMhLl2udWybQaVuKG8WcVDV3gMaHD1ysBDt/XDhp0P8X/nyGxVdHu0zHc4eA5CW8gswDFmCiKcLUt8Rt/IiG/X4EdeUDR75MxgYEyAQ0t7lO2OWISsTkAcCNJA+qrxKZyNQbMH3WhYk7ZPSJOL1+7enMQuY5DMkKLi1EEXSv+fIF+Z5EUjxNxgZ7EDQPAyTzxFRc7NdbF0dxaaXh3Vw1rTcF2vEtadgl59Zg5flGIkSg5LgI2h6vwT/YeQS6ncUodzaeizwKNsGtf7SNS/Bz+tExB63PoTc4tno1bhJLQ71zRt3pRb3rx3N5fPXf/0fpniUlP3qV7+y9naLQTJdqjO9HhTK0Hd2zhs3Egzn+6t1zzmcKnzz9KkJSVOZjt5F5Ae7L+PScweTh3EduQDmUPFCyZ/VMlWugIU1NmmfV+rEQ8IIZ5Ns+qHxQIAnMDeJhBi8Z6BB0tRm8TSQvJjGzRATgt+3r7L/rHvz8jcQZ7UQMLGiThJxQsYMyKSlShmwws8Ia/IrEgS0E8x+9y7vRwffZFQxcjGk8fA/0yB84Nxq4AhXIin/qPa6T5/Ia64x+sGM2+bz6eUy91pH91TKRMgIQcsd8/2jj8/2rPs1ezyW5+ZAa1Ild8Q99kBjZURe/rQqnZ5nbi3l2v7yLPSl1t9iPBeoyrVa5OW3X3xpRRg/97df98f1IeQmQXqpQDibJFZ69KAc3FKAwlpVSZ89M8Syd8/rGW87pmXV+Qw3ngP1aNTslggIUR7JkNOnjKHDqLhYISk1q4h0lVhuc/iWYThSXX4zrwRCu3jpylj/VOeuNtAZczwG1K2G3z/+YFGr8hf4jfWcONj9EaWO7VxmG+sunk02zKQMyz7Aps9IwAhPQIIKd7Aj+AB3M9C8T36xwA6cCw7IJaYhMBvNcKisMpsuggZ3kto7gzygzaPOQCFVNxUqX/I+Hk0+iXvBsbw2MgtVo/MMERgHghVLRHMxPklSkEqD83gjxta3uYPam5s5M0oZfLwaIqOiqVeTxkr9z549F7Pk2W/MOhNtLNlrhEq2gKKC52kLQS7PG4O6taW52CrzfX4mNVqc1mjUVn9Zj+tzEfJIob9nNDaXg56qI6kQ5oM6vE+kKwJyuLfC1AtVb4gG2WAndO5Nmt1JzfGLbitTK7KKGJ5PGuL9+0nzKiheO/n11HtGTNLqjZz4jilD6NxyhMCDVDLpdqsNupy05l9V1Uu1I04Esr2zRTaUjHT81UPd72iBmKqnIzgGDjjk8zbyxMkTk7cMj/Ni8CofCA/yT8PFY4gGZyY5PcmnKxDYhIFkwx3Ov2335Atbh2Opbwnx+5LWciHa3uaRPzqGNR950o/GQJXtRhKWJHSpJKHWTztcBumZiOuf/Q9/mt/8JyXMLxl0F86fq2P9l8YNCaM3wTwWRRQjctjYKjoM6HmFsLuDPLujqW1bO8MviYwhnZX3PBwOjsjNkJB16uSpqVMEEfn6p5dzts79B2m6K/nMc+05bHP7Ni3BtD24V6j7dGHr/MiIPALncx7bAtO3N+t5fS5C/ocGRBUjHM5+0ok63BgBb4544eKNEcsrRw8NVOBWI1kcSzuehqSKsp07uXNuBzXgwS+/9WZEJ6Nt00i8d98933dHbgnb5jMltah62C2p4DVGIiZQvRCdDAFv3ZrBFZpyeM4m54/09cqRfKi9d2kHYOFFFht/UmjmsClNkF/Z2cxLX4qSZJJADFebRTIi6JWPnNFFOklX9R5SVxd4hZqISiWJI4i1e6VxzG/RJCXcb1jKvEg5VdJOZNrWmMEekh20UZeIORD91pifhLyVDXK9Wj1nq/DwwMmCF1t2VUvIgOu5m8tOu/sgb9DOBVNjEtKZkKFFtjVW/mTSfkfHvPGILMegOcKhLkiI09ENjVlxwoMYRuRWka5u9fqPPM5oh5lHfZEqjXN+Ht30gmqoqXW4CIWXfo2an41eFk0EymKJSo1x1GbCif/2L/5dhkfnJ0eUjplFiEuu75JqCdsqCN2V1X+5NEK9KxCpTYV9pXeSsu452W0ZgoM3k4buRcJwJzEISUoGj/cbj88joFOnTszzvZcB6d6sfu49cAIWRkDgC4KgIcESwRD7NBItBkOkpDTsOvg5YreXxuFzwsGraB6Pjq9Jqk/t80Ebv/cgQhoPkVsXjVYQm3v7jKPaaDHYmNRnJwiy8P2SxhMwipmMAaTwXvczP2uL0VYuOa/fiRGE8JVu8U/D2atsvJMnjqclO2iztXL/G7nhbueGY9RaH0LK8wkYHhaG6Bd1rYtEtsNLoskiJS2YxYCbYUCqnmH1paABw8UCLdZunYYyVByT61znI+FHzvjLl69OEIQX4VY4WlBA/wb3Ij3d38XQsagYxgZyGSE4v5O4rPM53ium8j5q70ReCQafSJdGKzZ/2xPVHYiVs79DeCIkP1OxvCZw/O48ASsCRDQ21P1IWFBl4EnfGWy0xzBD40SwB/IDLy47CT4xZPcaCBAxmUkkP/cwRpCHMRZpDzGCKAgIEYNkhzPyBIQYeGDRag3MG8Gt1gZcO5RBB5YZ484YXMRPS93rBVecr0Ia+4yGNxpCOjqN1sP8GGxjrkNeG+9TQHDkFUGtAidG3f/G+w9eMbf3vuxrXQiZe4bqJN20gL1XxYINo/ZN2saaCw8FGkTQXuPA592QW6GmDy6UGXf36RIBe+vN02s//NGP1r7c++HZH/7o3ZHQO9tIBOhLkOGz7gnbMZBIwflbhg0LXKsrz2DoIHBjVDVhszYENUgmxPLwweJBQCxwsQR542eUuUheUtFGj8ZJQjlwB4GCFnd6L4kqeujYh2HgiAHWXGko90FU036r+zM2jZsq4NPmLUC0fSSiCoo0LhpAIe7KzUgrSUBayppWx6DV76L3PI/pEOMSYY0RY/R7EZKxY3SQjtYT7GDs2QMMuVBa3UNzibIV7J3jgoXvXUtOddh5ci+KOu4L9yftzX357DpQ6jz57/5nXQgZlYqgCXOuQp0ksC9TZAU73Jy0e+crX5qwqI32dziZJf0gIt5eyNMGWUiL74K3P614ckp2FKC2uaSZPGfSBz7vxb5r6pI063Osea+Tbkp4EAGCWZ7ZGXoRMs2gMTdihWfH1ZaxyjfNQ3I4gkLUfpYhRoVTpYjZ2PRFRlD84FQ8P+sEWGIszApaUd0IEfFiHPOCL0l60sxcaDOSnSvu6dPlQHWV5YJE1gs8ulhrq0etlc+QzNx6ilXlSIBiGrI8a1zusasgBWIfLJ02k5wfBF/TPGAM0PzKNxsL3/PD5wmNpO3p06dnbAj5SIGpK59e6UiKC8NwO8Lh5mDNzZPfe/PBYFWMtlx22PXL35dX1+vfdSFk0EFfBlBighGpRljR17N6hiE4KvYrX3o7gnm0du7MuUnSprLlT+gGdKQFBkPhOhK0j/QZrjMd1G8lxUmtJGySmWvNAYfuCx4MHm+ht0cgYYKBBYgNRNCvAiRgDCICwQ8+WH5aDCYJCJGDEIxFl98FaMAeUhaxIUp+U19gBwJB3ObNq2G8GGWke0wGd2IK2HckYuPzOUy1SF/pmYtBuBA9F+Hy984nmzFj9EMHjuXSvDheDxKSlIVPtQxgP+zM1YekMK5negZm47vA7DxJmJuhiijVDu552vkgLTbMLgFI4AWTYVqdU9kMjx4fXg7JKZFJkpY+y87h5paj3TzL3izXzxHxOkGJFw/66bd1MvZkTDFeIrakBiOFJLUgFkDWG462WNxlymo4+3G3RdFwcMkRXiSxI3IPHzo8eQftS5tfw5Qkh4UeDIiA22QXycQ3u1QEbxtCgfc8dyGanhuBgArGJlolWYj/maSRgE96LQTNMBIs2THtu7i/eFuE1GFgxEoqkXwr/M8oktbJwPMezMOAinoWwiZtmzfV7vnUMZU+VScv5rD0EEbwvC6KDGptmxYgWXWqx7Rq5swdNNB0XPDH+2FyjGr9NFhkE0gH3byltIEMR8YeBqMVrBmhMHWK7RGNg6B1NZWPoe/Ihx99NMEhJwNM5l77w0jGIO6P+dGqZ88PNmGunyPm1UveuE7XukjkUSsNurWaKNezOP1GhKOZyrYWXhbcrRaC9D3RGckrFW9xR2JGPHfzWTJw3IuUleSto+WcFRdRXL5ytYXPg9G9GToHqiFTr4ZwSD7Y0qZqFILISC2S3QU2ICCEILmGNJZUs2oPRRI/anwCFDYWhCD9wQFWPoL2bBc0wG+uZMg+rYgcEZsPovL8i0XEGGOeGfIZJoCvMdECfbTmWloAeA8tQ/obt+JOzAhy0VaY9REMDXLsrS9FUp0gQLykOskokAGMTTf/fjhYXxHMIyV2wv/BhgP57c0ZwYJdGGvsgOZLwpLetAuCN0eeCoLGmFqeIWZJ9/IzZryNC0OaX/ioN5ho3wyk7/P6ir576WVeHvnSL1iPSrUoZrySPjbGFynH1USFip4pcpTxRjXyK8v4Wrm9wA3SG+bet1cYenMW9tFZRFIe8ZBQpBqcSiIqYYoWJswKE4MR3ochbAzjhyRZ1G8nhxaW5qa72PFeDXiigow+oWqbpsH4MGUppQ6akaeAuIXUSWQwiXYwV0xpjH4HI9wDwap+tg5yrUlksAYUIc0ZnSCS/Az5G5HxvKbOD9O5MCZGFB6W1wBmGdu1cjV01KdhlsrmBUqgHL+bt7nSChKBRkO2JkqZ0JSAzPmSpH7ywceNpf7MMelER42vtbeO9gjxD9Tp+fsqTCAIMIsupsYGNtIeI5m788+XQSF6l+f5Wo9rXQjZQKkeGwVLmofaOx0tB0slAWyc/r36F5NYVyNeas7PDJupnYuwHxRuHhwW55NcmEOH9p1t6p68G6QPA8tGsfJJapJYKNqzqFZMcKjo33SPbEw2FvGNiyyiu5r7DZwgHTn4RfEQsgDIVB13L96Hwc5trntS6RjyZtrAJq+CG7PZhcL9nQE57kVqmiswogWrqHC/802Tvohi5eIzLvdlJGsmQyggKH73VTIPpuWWtK6wvD4TKM64ELfwsbm61+J6XDAsyYqhRPTkKBMcwss7EijGxrVmTYyPl2LWonk7gYoNgKjNj9dlX60BNL7hZwYxPA/Drkh1RbwzyF5dfX9B0155qde6QAv+SVhTPi1JpsSG9H30oIYsEQ7JtLeklHPnzs1kEL0NJVlOnTyRmtvVhnDvFAQIOvAAnC9Uq4pkT1jOik7+7hB9VcKdO60dLNxs4+HTGzduT1kTdxdJhjkm/NwmyumAx13Tisqz869+9Z23196rp9xP3v9o7Z0vv9VfLXuGXPMwHhIcwSqtpw1IXoGalReCr1X4HSEiNky1knLjh+3zEn0QmDo52gnjLlJ9KdRFiAicNLZOjjzjobhWKqpOo9/97nfXXj91YvAyAt+3R2L9glm5GR34SP2PNm9e1oNU3xcDSbwSBbxbpFL+tzRa4OftN18fRgYdnj3d21outY/gxKxB85ouRdk87gtOOLPlYHBuz66KAsqLeVDehQSl6PunRNtPc1nF9ZLELx6xPtlvMs0QFcNiom9xPQw1gYNwJrVmExHC7n6+EWH5HUeTRDbz1s1yYWuuggj5kz94/8MMtp1TaMotJIQqkACTIkLeDQSiysEz5z3dTx4zlc29RK2ScvzXfL2I8s4LA47klE/rXqQSlxZ1NYQVQXgNgcLMx8ocWxGa18yDlCfhNmyoRq7PksiXSpeUH6KyBdSa3IaIaeDExsLCETXmQMykKe/CQsg8DosRZc0Yf+5HUnqfL/5ewEGk7WBeBJpKgtNKpSNmBGTtnNcNLsC8tNXjqZ4RtIrmIlL3NZbLJXmZBxffvZ7BJhhhAta09rFyQqX2WqNNM9xjHHN33t4GvfKGoV6Q1lBvbNJ3X3P1wPUi6HWBFjb3cZviizRzyUmwQAwTGJWl/PZbb47UkSOrB5v+ChbGhiKcaRXQBoAc11LPikYRKVUKUjCkeAg49EmeI8EHG4g4SG0Of5/xN4u8BABilH5mPMK5IzFjupvh3e99/4fDZBLYlRmNpGsumITqB5VoDtKYFMYItMcEEdot0AMEmOrjGETggIXvmDTGJO+N+yBK8zMO95v1ihBtsz0n/Vc+WoSGEBC4OXmP9RFy9tlFqmsUsyQIWV8wa3D3zt0TkWOAweTWbBi+nzEW2wHh6p3sOWfD/xh+yZ4TX8z91xoa33LOYa3KEhSEi54Wnj+GYPfHcJ6zSPDlW/8u0rmXzWE9r3WBFhZFFYTNaK/XtrdxDIE5EiwsRipqu0r6MVxG2kUECJaBcj01KnnnUFgYoZJAKckhYt04Hflrwc+V9UUCHz91dIiHxPVM4WgMIWjikrSPBNxHmJubDfbmF4ZZMdXKj/qlt0+v/Zs//3djoYu0bUuNUvFvvnG4jLMPu6f6Op4IhKi1wWLsmR/iZuTBkIhb7jXX3cbysF3w7KRvxmzmjmpJUkao+4BECEKzGgyGCRBk72rsD/L3ygFZ4AgiAruof5ie54ZnA3Mg+CWMvITvMTJIIw/ZwfJPzz0u9/jjCK+o5/bTJfaXjZfnpuHPa9bRhTD54hXLslkw8N4MblltGMA+27tNW2S3LdJ6vQl2BvYr/lkXQqY6SQBsuCyKPm5L5G5SJjP6nj870gZ0wMvm3bP5Zz87N+6lIdQ8C3oeS4JEbCQcw4Jvk2TXh+x8ecncbG+9eXokAyLh/ZgQcItO/SmkXB1BQAKJWg1kaMMQgfD36ncJSTq2y2VGiKSxsiTPV9fm/apFbB7LHuHB9NxwpCw3ICJi4dvkU+FZEo/RCMuSaitJzdBFADaddkKMJNsEjHof6TsSufds6XWROj5czbYlvV+uWhrxfuVLb679+3//H8dIRfS4daRizODYCh4aGWyKRjFv/w98OlHlhwoYB6nz4ctn/uTM+aDC9sG55m6dMZF1P1yt5MG03eHDRyNiBCxQFYNF+Zg5/as5bmOGoGfbR3DMLy9+n59XUrlxvOzr74AWnrj6+oceSfVRQwyDjI6kh/Q+sEKo1aaaFXVI5TF6JHY7nGVfiUHPIzDnfGje7XUSUO4FvCcpXL8HaY2HwpokNoLkDmOwfentDLJ25z9953vjD70S5JAnq0xoX11yPmsjJRwhapKfd4OfmheDxPY6TC5MTMKBLP/p299b+6M//P1xEHPjXfq09ldNzXEOR8onxmjK9B/kl5WEZFNpBU1iDvddYaxKb4Wy4JK8E8Rt3PsKaghukN4wOQgkcCMMD25wzWFEZ93dqa+GeV6rIJT0hpMfPVp6cTgL5FkHcOoYqn/y9n7fVjL+41JfdwUn4GFjvJhbTePv3hwT6yt9rdOaPuzZ99a+/rWvtMZlEfY3nhceJbDNLvJ67G6sEoO25PvXgP1hz37S2g5TRODP2i8FRnDz4+4xBQvZKPrbgSTDVBanCwO5Xvy6/PKS//0VhOzhOMuXn5fB9MNPLwPihiGdEPHjGrA87VAYKvDxY77XIlphKNayhig3a5AHY2yMy29HnJeCFfdSzQIc95Lcm9vw0GLSI8KPkC9fWSqHXzlysPq88pBLhv/kzCepZo56anLL2h/842/NMz45ez6poDHKrfybju+VG9F9k6yqTrjgJAaRctQtg5CZ81mYkqR7+0tvTbTMkVt6AEddazciVu2i7nYfCUw3rneeXf7SDz88V4FAFRydxaGxuAy9A3Wx3JZnYUOb3FKMt0LoXUYdJtkTc0ryf979eQV0mCd9SVBGL2K28VyLDo/RU+5JxOxUJgW5moxj6v6Ym8wRZK1ynUup8guXrsVAr/YZ3gnYX6SRVijqWQ40Jr54/lJtFQrgJHk/q4OniKX+Fxdq6P2t3/3GMDX/+54Y/U4uvTimpPzwf3Pa0vN27dxb5frxNGRHZNzL7ilI9STj7lq1kA+igc0x0v3WHNM/agDqAJcGkFFvRI1+EDIY43pB0/Pzy/zn14AWhrQQ+nCc5N2IH2HbUaqMFCJlSOWNLfT2HansxzvCjTsjig9mUofqT/FKB59fSnr8+CfvJ4UfpKorzYmI92RIwX48E+7FaGJ1i2xJAn+fEz98CQtTh1xajpv92//8XyYvYG+ZbieOHx/iF427H9MsqndJeiFFGT9yF76cmiY9qeNLl69VR/hOxs+lee3kiRMxgIyzxR9rPrCtGZPsDCx/I90wDMNo8R8vQR4eG1tImjszUHIR4hSEATEeNifRRZdjDbbEqMbKfen4A+432W/n3v1gtBpmlBz0w3ffi9ArDE3anqh49WLemNdO8N48GS1HkMDoIpRKxmB9MIYvmZfCFyP00yppbvX809VC0mYYfYy6juPVbheR7kzSb80luKm565y/ua8pQu27IJDjMhrK7A/Mv5TjzpQW7B0MgcHXi5J/DUJeBrn6lzHm4qtFbPDn5EK0LFP24hwOUj5pow/DqZMn5hMCA7Am6fS1r3xlWYg4HGHC1fQRyxkWXSBBqjqf8Q9+9F6HRR6LIT5ukw6m8opsdd+//P4PJvihNwTjC1wYSNImUuvgjfcxcBx+cyVYc6yiVsz16eUrtRf40mgaxPZbqd/z5y4EQYq2zSZIuexM6KQ5O0DUECRhTNEuuhEhvjvdEya+mjfgaoar1q3td5stU61cjIgGxp7TUnudWvc8VTIK6jEkCAZO8LqAXELQGEX51p/88R+s/Sgihl3PnDkXoRWqz9DjxuS/Hq8IDJ9XxsBhdU1vMLOfrxYNtKbsitdfP5kkb08i+utpDsxFQmtJYA+2VcpEA9MixsYYJZx6zGgTGHl8+kFHhIyRfW4+1A5bH35MGdWz4YhkHa5fAS3+4afMppqdy0Z6of+pSCqzH9e2JT1nUYMTqzyFxXIuXh8B6FSjSQgXGIjiJNQvp5JfPXZsjCNeAQuid9rNm5+NYaLy2IbtDbvBmaT0G7UVQBQ24C//6j8ONiQhSEkSBzYHWfaGXZ3+qbyHhLnWpv34/Q8noni0VMX7vW+MtCQmAv/b73x/7XTHBGvW8qCxyArjj2XELl6AijFHDecCTCKe62DKy2FQxKtQYNoO5D0hEVUkYwYV4Nxkc4xBTIiQjV3SD+KVzAQmkYhsBq/tiZDBOJHPw9XIjcQOo377v/xgvAgktl4d3//he63jhrVzaTZMQEvZF/kX3WwMZURs7Nyg40NvLJ4PK586eTwGvddYhJ3LKAwKIkoGKsYlnOwTd6oRWn+/2yP7vcDM5XfC7KfX/HGBon1s3a6XIpFHKjWd1cT4T2GzW7c6xqvR764CWnssXw4Rf5r0aqsiqOVwyIMHMioyuPR4cKqQ68jhytU7LIYkAiOOVcGAAahixiGpc+58p3RGhKdfP7X25//nvxsp+M5X3pqAx6slI7XOqd5OVw1eSHmUV8ugOZ0E5wH58ONz413QzNDGvhIT6YVB+jwMY5Ncb0TMNzO4SPbZyDZuaYa9cVyDpBHviXwPlj61KrXS3BRywrYYRI0bSHSufI4/eeP0aJvvfu9HSbNQZ3+nlcCXPLJplyRYTIIweVNu3BBpW4hbmPov//o/5sG4tfafv/uDYViSm61AW4hYWh+eF+5O3pY94X31dqNBWtutwTlSmMYDBRXJamh4JAaWSI+YDx7MCM0uuHkzKR4hsxnsM8i0ZWtz7D1Kpsbb0li5VOlcRP7TayXgomsaynxk4Xn5ZV+/NiEjyCHkRmewJseAgW+fdvaFQe9JKm3J1wgj+YIuN9XUhLTalOFAgkpDnOaB/S4caq4Wm++SsQZ62HSVwVxLJMlvffVLa9/+9n8ZF9zHn5zr7LjfHml+PLwo7ZFr6XYSH/EK+5Kcc5xZBhwJQ00zLt1PBFBmGSl0+7PCwUkoUvXY0UNhyhLM8y5ciAjlRehuSbKZDGJAtNS+xB2zY9SCT7OlvUeUjJQllS/ETIhOwtFHZ87n8dg/Y+bF2dKcaIviISNVtzVnKp7Kv3tHNl1rE0zR4oCh+uP3P+5cvAXnc3NaQ2t1oSPauB4RsgDRrt15JzLAb97kP3eURElTERR/O63gvtbzWO5F8MBY3U9WGyK/v8vBk8sREGwMLj1uw8c8GTGy90b/Sf4lPI8O5rKJL66VxOYB+f8kIRsnQnbhxjF4mhw/KDdQWi3pZhHAjqXZtwCEs+BsitDnWPERLSjyuFasjpBFJ3pDkGZq+ETeqEmNUzQwnLyKnssP/K//93+79lvvfHkYwsI65JAk58RnSTssURgYZubFkLo4fdPawMkua5DU8YM+q65NghAMfSMCvhRupmbhPNBCQIEx9yAGEcKV24Bgl1zrnTMumwazw71w884wLng1fuVeN7/zERtmkKJpDPtz3Q3kuVZy0rPC6eZa8AWuvpn77uLFXJSN03F7BbIAABIiSURBVBpLotJL+mFrdjlNAe9iME0JfQYZIUzV1+DJwIO75Z7kSXEqFNghOGItSAwGK4ighQAf9+ZSA7jyYPYDnYN98ODu1lm+c3OtHGyIufeyb3hJttZegSEZdw1ha21gDUYaNRbkMTTSDz9H2/3l5V2/tkT+2VAaYmM3AbF8XWkYfBtBiQ6T8TpiQbS+tIiS72ABNrcAT4vV30k96yhpYxRUiuVL77SIsClpL42S1BQFAwlIXq4umyF763CS03JdCLNubKO4AUX0JJfD0bt7LonkUkKk6pp0dn8EOYZccAREeO/HH41kfadWWv/3f/jb+QwCI7nOd38S0OdIJEk04AkDd/I2egam9oURGHjyiYWp2QrT1LyxaZyIYL4esU/Pt5HISqCelGN9MPh0MY1RFJQPPmnIthiGSPq7t3VlCO8vt7gfB8LMWGISUhTl8EVfD25ci0H35MnxfCFuTAF6wPDmPj72mHtP3gqcyzbRCoDrTdLVpuyOh+3Bihh1KaWRNie5PQixToJVTDGVQZ7v6gPGshDz8tLL/vdzEzLuXEWLEOZyaKJevBkIqWQ1eS6bvCQM4eSlB9r2JIJMLL0Q+FbHldUukISIQJK3HFec4Tmghu8kqfsxJqbCI4mIEN7SRy6DTHKO1MMLRf1Y6M7WI5lhXRlrAg+0xISkux/cfL/GJYIrR48cyh+8JVfc+SHOs/XOQIAikT/40Y/HKD39+okkVl15iiwKcgxTRvAIDLyA20lXhAKj+kIhJDcp7hcG6pmeYXd5DcCOrTEOl9idfL8YgQhDGx99cjbG/XQIF1ZmwF7ONchLYT1U4Di48mnabtI8gwGEh7Zdonc8BXp+YNT7rc905GxdHY6pHdaWBIx7wrvqG+VtgFogSfTaexAqX/BMo7mF55sTTbeSuPbu9uOOcitwYsxzrHHMIIy9SmCyBt7va8Vcc9OX+M/nJuSfH8NqkDiP1PUFk24XdQoaUC2TYJ7XgUHEv8vIEJKVsMLTIQWQpBvmaAuET6l/khnGk822GC75M7unFEnS0IlE1OG77/1k3EYseBgURgc7RJzkFW+NiEnbG4V5EZox6NGmdSrPCUL87vd+OMYkYpArcaL6uDPdS6stWJb2GL9vRKGHGyuflKXWMQjCFNYdIovQQACEDdKYr3vwU4u6Ld6DjDF+3tyNF4Maq3xnxMGDMW6txk6SwbPm6xhdc77/vNyLek1jlsfbdSEtNbZqb1rMGmKefXl3RDOvXLmCkiaSiTmnaUufY0SvPEsjNoMuWmZNsKvNZFts2Ur+gjRLBI/EfRavbQIb+w/uT3a152oqG2uMvXK/TUyhsRi//7L15jE/Tzsv6+fPT8gNbnUNl+UC51t1UfM2lMS9G8zQ7QccQPAStPlyiWdeDJtuQbnJVI3cSp09KDzrnjZeqNTCMPxkXY36OpBUZT1nuPAXw79j2EQ4pOSDFpW63ZTnARdJGmdIOk4BYemP5oQjkk3yETV4NwkuD/mVo7Dqw74fHu1y9WreihqBv1pfZhJLzzTlQnAiBhGpk2sxlRV97kifk5+hNYDAAQ3VJCc3QQIOZoL97ajkdgRQE7XB1rSMoM/9DfzNopBLSyvwx9qR1lqL6TKk1az3HIhBt0njbN6I9WguPll6NNPuxsWHj/jAHsyDwAWBtvY3e0S6EgxeG6zcWJ81r03BPQ0cETGXpX0yVET+tL/D1whdUj6X4Z273IAJgG1LBYyx0JyLBI5W+h+Drdf1uQi5Mc4A9Y1o9UbdW2iqx8ZZLJjKEWEMAg1VuJ52lZTybAy++v8WwbtfuJc09Vktr8CEyQ6rDYAEFv3hbLxFlM8A7yIS2JTExBB8s4IMr508ngTcuki2CNfi21xEjgnU8+1MCkuQgbWvZ3Cx4KVMwtsa+LXrMx+tb2FqTEdym6Y8CbDAxtuwMTZ7nVGIuW5FuDaN2n68LSOozyoukO+8czQADwR/t/dLWnLojANt6iPXuEXobDMJi6AQ3fOk/UjlCJg7LlrsGT2zezCcJcZbo90ZdQgHAdN4+3YfnPwJh97w8ri//njWUbuw7e2FUD/hsiHJSgjsSnJvqFkjI/FpzP484cNAHW2ZkDGOJFKuwnJTXjDA4qVBuIvdo0P+QEkDbZKCJ+bxm7g+FyEb2Iq5GAyjNnrN5g3hRECLj3KFiSST26jF1TOZU036zmeLZL2esbbk1S65DfDb7fICbBbVxa/JqMPhI00iDCqRNc7dBKK4qF5cT8KADUuyDW2QNyLJqYoYftfB/nYJPwhrwbKdGxLByUNWrHokvPzejz8Y4njtxCsjdRCouZK0CJyWoEF6KRpaiJCk1uIW7kf0KrRh6cPd90gpnXA7eCRUjQgt4tatKk0WPzPftcCMRoe7DmmPZeywJQZbiMR8wZujaQ6ED//uTyrP8/IEqfx45ciB1iriynVHcCBkZVwYkNAwboblto5TWAgNMZYLUgqBMWB8x/3y+yJS+8r7UqbQ9O/bEaNh2snWI8u6Vr8PjEAcQyBG2PXi2/LL+vz7+QjZ4F8MbnIXans6qZtJOCpfbJ+xh+MxpE2/f3+R1vyXGzfkdOzzJi95HkFZYMTHQOCpIMkZfWAHThcKRaQI+PXXXhuG8fcfvPtuiUUnun85EvloqXbwgUeE+4n0NR5+1W6dlMy1FYFo+LdhZ3kJuftgYJLN/RYvyobcgvU2S1I57gDhSqN0f89BqI+3ZFh2LJlxgyY+h8lIapDIWHkXYGdrAE48e5phFRGABsL1Y0N0LxlsjCMBkeuVaDGOqW3SjS93396dYyy6LzyuXa92vH4m8Q8GfaSLEhQghcSgBGqSE5QgVYMCPUO+sjERPQjXJsiX8BNBMwQbk+DPrWHlgRoxEsmMeIedmhfJjhkwNuPO3K0DgWHfRjP3M78y+8C52kPgrcN60fTnIuQVHQ93NylEwBVjkxl1FoUfFY5bJIlynbKmmiwiu9vf76TKudp0j3TWm89Ts6SN8CeDhqvruhzj3o9INBOZvIKk2nS97O/C1adOnRhYcjMpfurkycmfGCOEJ6OFJTb97rsNVtrTyg8z7EwqSeABieBIl0Ymjm/YE+wRrr3fGFUbeyYCpXXgX0flktAuEtvfwJCtve77EHGv6cxpA92ep+R4eHsSa5J6JBdCB7F4auRWaAE7VSD9Di5Zx219jgeCEQvSEQInYrILzQmkOFi+iH349PLV1rRQM4gR8yH2KThtzFsGsi2nrTIePdu8ERkDGFMIAklrzRy3RCOEGmHMG7PFFE9oh55NKBBi0k5XDCCHhXZByIh6iLgxWQtz7DHrRsmfi5BtnIvKI/F4KEhd4VGYDIGLklGNkfgsvHayd0rndOIS44/xpUiVaie5SdwHpQlyYR0ss2tnEvFW/k/dOrtJUi5i73nU46Mh/OWwyN//vd+dxTn8/FDP4/LJW5IkFTh5cB+GtHFatDr6ICkRU+wOf1t8khqxCg6okJh7Nz4uNtiXOw4xqiuEd0keBD2GZDvT9MbdZQ7q/cyB8eee3G28D+3fvG/n9i1BijByxaJgDcbGA9t6fTwJbTysfnByK8rriBh39DeQ6373f/WVQ1NTN67I1hqVHZgIqP4gF1vHPCqNybit67a8IQeS1KSq3+89WJrNEA6MU94M/vSR+iPN044xLI2azBhi9JjbMT1vysaIe8sL3Lylz7svI48r816GHo0MOyPeSSwaykW8LRICbg/X8/pvJuSfHwcJaYA4FhSwWRTbZoNu0g/bdOeF6BnsAjOu37hSPmxlRs2I8YegeA4koU8tXHjM37YljXWAdy9S2GvKnXSRJMVgxM9aeH7Pw4cdG8AHeyvVLUNtYXs+VN4IRg0jjYRdkl8c2ZVvdUp9+bSp7oI1jWV6VCD07qEqAtHb7FDThGR3cue1aeQv6YVxMRb1ilLnkMvUMAbcHox4eIUKX/4uuqhgIKVT3u+Bteu3VZhHJT3r6P6KC5qlggBf1pQtgDDG3dg8SWSagW0hWX/PqV25Bc/OutEEJPWo9Qh28WXnGUqgwOSYEjQQfXta3rK/m7e1Ja1pEc+cIgYajIcjpuR33lh7M/nRD4NfW7a2py3Glo35mhtvk565CzkjeIYiQ9N5fZrCLHkVkVdrwzOz2BFprJ6Hrl/29asJuQfP9Xc8cQy3/kYiLVIw1Z863ZeRdj3O/QzmbXYP24A5Daju9VoCHI5AJA35crwsvEjCbWlDhzAydO6U17orPJeASdqVmxzR3G/hGRv6WNhQEt+CkIQffvTJJMPwbjD25OkKYmhszVB52kIXRU1lClF3TNeBiLNxmxocPcYMDNnm7W48AiOgzicFI7ifvE/Y98zZc6Na9+5UmFoAoGAConiSD7ihFEVsPKlVkp5klhQvQQaxjuch/AsLl4hRctLxgiIX+1yQq0ACAt6R2ieZGYs+w3gbL0qq23l/JOnx/OwqwBmjr5QJpyeIZ0vqd3FPDmzqRRoBM8i5BpnmGVWSgDByXHxulXnI+yB3wrptat/4v81hTkqNmZ891/T7hWHYB6Uf5GaJ4Esw2l5a632puSS3POjrawcPl/B/4rW1vQkXjO51AgfHbHKMRfN72devJuRfesqKrlcvW3BLBziQOiN4myArVlWETKjnca/yGAQ3/sqId0ObgrBBkMVAEBRhCZfPS1y5ZzcWpbt9K79y7/d3iS9Hyq8gOUhWCTzuqSulxis3bnWqaER08sSJkaQwrHVj2CAsG2kDjZdngSSiEp0fDUPr80CFOyBGGNt7Xjt5YvKT+XLhVFHHQwVnDEL+hYN5BB9uPKhQtjHyHhi7ucP58D7Jx3dMfctQEwq+UJrl8cYp55fBJTixLWKeSGXvW6KgLURSmStSbZ7cCMEirV8nuNJnrD9pKkDypbfeiNidq7Kc+AQKeDZCpu3YADTYzkLNmM94R3C80KwWy9inYqX9I61JUWO25rPLvYCA5WNs2FGcIKhmjQWPaK/xq/cdPDKHGaBp9OVn93ev9br+mwj5lx9uISxk4GsmgGi9wNfJzwo/PS7zjXXPan6Yp0Dij1IleA3k6BaTW6FBik41Vo6kdYnq7S5qxetgMyzkRKoqKxqJF3Gy3GHVkydPplaLMg2xLEngXEqXaz2LuCzqdDkiWV5IBsxxJbhz+cqVWXhuspO52fha5erCywjrfNluikg//OhMRKghSVUp7380apxhiwkYZVxb1gMBPe3sOUns0jL5e+FzuwmO+Q7yiAgiGh00BV80YeEZ8R4GpaCDtdPtRw2c63LM4+/znl6DlTGSuZ+r5esEV/ocgxEx8cPfLGqKqR5XlbNzJ6NykYTWGXPZJx4FP6M0hrT8E7CAwRdNz2eEsZVZqa80GoIBzuYa1Pp2dS9JT6Q5IfPzMnfgxBDysr8zoZf8z+cj5KHi9gWb2Z25loXCxZMm2J0Rzkbux6TSjo7Kav5tVO6oPsNjgQAUa4IIavv0p0DUmzsIRlUHSXvqxPGI7Pj4eUkXF8vc4sLCn5w5U0Bg99pbp08nBWtYXWrmEH+bdaiauqm2COchCpK+0cRIqdqIYl/P1hM5FDc/8z9Tr6KFMCfmk+9Ain2tlFH1aNxrk8wU/gRzqH3SyOdgceqagQhOkPI+i8r5k+VV7A4ead548BB8n/2Q1qBNqFsEYA6kHEhF8yl74mGQYwEmfPzJmZGAiMk45EvLy1YN0i1G24zx2eeodJqBF0Hqqdzs8bH3uZ3BHD+PoY6BCJTGm0Jp/X6GZX2W9CYUNGtBlPbc+gkmjYeqOWIK75Pp5/nL+2aKLxiI1F80yfLqy/33cxHyagim1Oj6BzEvkzNBqkaXer0rPit9EBaVkwwi3LurCLQeDP1ObcqZ4G7jl7SwjA3FkXygR492zl3SAnGovhANdFkwbihSkRo8QGUHMx7nzN+dGp2ja9sYJVGTqtjYYHYLbKjylElAhEg9619BSjtGjSTDKLAmI4m34u23To9klUPCgBJZfPVYieeNgemiGFa/Ca6sT29dGRUMAmBo3xlcckqaTHnOe2KOckH2FmnsddACXBovD8nY+Eh54yFZF2ZYGIzBxBfMDUlrCeIw9DRL1/zc2rsQHTi0Pw2G4Ulgz5nc43otY1IE6GErvDrvaQ+sN81iKKN5Iz7FtcYhB1onfBDjyZMqyR+q+C5WUIsAQRTPPUgjvCDk0bCRx8/Mu6GYGePL/uf/BePVQcmg6HQqAAAAAElFTkSuQmCC"
+                }
+            ]
+        }
+    ]
+}
\ No newline at end of file

From e365c49c949f846fb0116d0973fe54b07cb91bd7 Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 11 Nov 2024 19:19:55 +0100
Subject: [PATCH 07/13] =?UTF-8?q?=F0=9F=90=9B=20Fix=20Defender=20broken=20?=
 =?UTF-8?q?Endpoint=20#11217=20(#11212)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* :bug: fix MSDefender computerDNSName to match modelregex

* :bug: fix DefendercomputerDNSName is mostly a userinfo

* ruff

* fix according to review

* add unittest
---
 dojo/tools/ms_defender/parser.py            |   2 +-
 unittests/scans/ms_defender/issue_11217.zip | Bin 0 -> 1563 bytes
 unittests/tools/test_ms_defender_parser.py  |  12 ++++++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 unittests/scans/ms_defender/issue_11217.zip

diff --git a/dojo/tools/ms_defender/parser.py b/dojo/tools/ms_defender/parser.py
index ad909168c2..cfa9db5c0c 100644
--- a/dojo/tools/ms_defender/parser.py
+++ b/dojo/tools/ms_defender/parser.py
@@ -131,7 +131,7 @@ def process_zip(self, vulnerability, machine):
         self.findings.append(finding)
         finding.unsaved_endpoints = []
         if machine["computerDnsName"] is not None:
-            finding.unsaved_endpoints.append(Endpoint(host=str(machine["computerDnsName"])))
+            finding.unsaved_endpoints.append(Endpoint(host=str(machine["computerDnsName"]).replace(" ", "").replace("(", "_").replace(")", "_")))
         if machine["lastIpAddress"] is not None:
             finding.unsaved_endpoints.append(Endpoint(host=str(machine["lastIpAddress"])))
         if machine["lastExternalIpAddress"] is not None:
diff --git a/unittests/scans/ms_defender/issue_11217.zip b/unittests/scans/ms_defender/issue_11217.zip
new file mode 100644
index 0000000000000000000000000000000000000000..862542647b1e85cb63f03244b8a683424e187ae0
GIT binary patch
literal 1563
zcmWIWW@h1H0D)60XNQ9sP=b>|h9NgGIU_SKwOBtigp+}Jc56@S93U>O;AUWCxu}1n
zfTg1C5KjQm2oazr4u;Y>>5=c$r~0}uF)*~TGBAiC8v!#*FRM5|4{Tl?hi*CuqnTGb
z<$nGx1A*iBe`+tv;a_`YibJ^7uPp|vIx|Z$*3?FXhF<@{w5(6|r@K@8xBcfi8?7ej
zE=VYvzx(&SpL2YVZ=U|&Q{X~@9QV4ywSTkE$7ju5`8v;B)4(&N>Dsh1#l?5OYi4P@
zED!FOK4tNz^V=MY64=(hcm8_)v)R}6rh!4nbiy=NY6PrfIeO?G_mZO4MGID2xv?(S
z5cg1v>9#t&<jb=*L-s{kY9>X#jlI6dGI(Zj<?Updafq#AbKguwkEouASyM{?G%nEk
z-fXh%)tQVb$?NhIbyt60zM*cGRI2>413!i5GJaIj+B^B))%=4uR+e9Sek5AKJu=g(
zG~0VcNL63NvQO2A6D7Wgcy7BNuXkd>LEh##i3qiWhnBX?GQ7|^A@gMIb?+&@pKZNd
zZ*y&)7j$IBlnKX=)x0m2*(_pqQpssa>AEX(!{<9cOUt!B(zx@Dqtpi9OZi-X<NiN#
z4*qu{;M%62-Ym<e7xUf<5n2>+Std5T$+Gw3zIh)1ua$Ak;69PwvEL(cQ`QbW_Hg;z
zJ-co9KVBdbTcC3Fv75rGxMv$Dl*-+k(D>R%L;0ihvlF)%Rw*gOx5|Fn_K`*5@u~^i
zgeT<jANP-#Vp~y>6Ea^xU1RZ|weIDATDzOff1RGs>f!YB(9tO;jTE<vUb)fbajQfs
zId@f1|B-^-vs1qO>JO>@UC(;)?wSQf_mrP*Exe|8!>(cXKZ^hfw#5b#?FSzy{kX&b
ztJyhbf7<cV-0btOCiA?B*xUT?=K8yPPh8IYduYw#@|a&6gV+6I0;Nevvc86vtObB+
zvaB>GFSRH!DKjUtBomgpHv?1lWqhf-0GPTNS4_?oXJlXy0H$y?EG8AD7UUO|#OEgF
zRmOvCDMqCB5@1RPVf54<c+&5%fxzC+q7#p@uJqK%4&`iQkr6n(aXOdcW1m|mlicGT
zIbE$!&nfa?G-U60e}A^xc-C7-r-OMR2X)W4OcFDjc2;=Xwr$3rZJx_6dtk(TD07QE
zQ^!K%{!Ib*0-U8KEX|+J4Rz1?q<j7IF~*fT$um`MD+;%`27DLI2$3sUDqyo$E+Bk?
zP1wums@*&M&+F@@zwBvx)z>|1eU*a0@6ym!hEtZ`^eme-_hSBsUbaQ;?JqViH%i+Q
zvnG&lO}(1r_bEFZcUIN(`(83V%kg@P)|?Icdw8ukTgd(H)qnJ-(eU1L|3zjiQWE&I
z`#jmIIHq%aFcx_cW!A8JM!b5p`qYy1>Qlb<&t5gD-ir5n`?6#2vZ{OpQ_A84ycwC~
zm~oX%63{YAfZ?qphzToOfaMe`q?|$vWr%UON-2nOz-VPy(&&tA9L!v3ECS8OQeGiD
z6*ILVJM}s+)nKMQpsAp=hsVX3DG%Ajip-d%;!1}=yRf9e0B=?{P%yFpVJ<KjX0U*G
E05URMJOBUy

literal 0
HcmV?d00001

diff --git a/unittests/tools/test_ms_defender_parser.py b/unittests/tools/test_ms_defender_parser.py
index a83049bf2e..586bc401c5 100644
--- a/unittests/tools/test_ms_defender_parser.py
+++ b/unittests/tools/test_ms_defender_parser.py
@@ -68,3 +68,15 @@ def test_parser_defender_multiple_files_zip(self):
         for endpoint in finding.unsaved_endpoints:
             endpoint.clean()
         self.assertEqual("1.1.1.1", finding.unsaved_endpoints[0].host)
+
+    def test_parser_defender_issue_11217(self):
+        testfile = open("unittests/scans/ms_defender/issue_11217.zip", encoding="utf-8")
+        parser = MSDefenderParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        self.assertEqual(1, len(findings))
+        finding = findings[0]
+        self.assertEqual("Medium", finding.severity)
+        for endpoint in finding.unsaved_endpoints:
+            endpoint.clean()
+        self.assertEqual("Max_Mustermann_iPadAir_17zoll__2ndgeneration_", finding.unsaved_endpoints[0].host)

From 633065561bd42ac5f1229f258ddf66bf0b940813 Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 11 Nov 2024 19:25:43 +0100
Subject: [PATCH 08/13] :bug: fix semgrep severity logic #11218 (#11219)

* :bug: fix semgrep severity logic #11218

* ruff

* udpate according to comment

* fix unittest
---
 dojo/tools/semgrep/parser.py           | 9 +--------
 unittests/tools/test_semgrep_parser.py | 4 ++--
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/dojo/tools/semgrep/parser.py b/dojo/tools/semgrep/parser.py
index 883fcc4f31..39f72f8b43 100644
--- a/dojo/tools/semgrep/parser.py
+++ b/dojo/tools/semgrep/parser.py
@@ -137,15 +137,8 @@ def convert_severity(self, val):
             return "Medium"
         if upper_value in ["ERROR", "HIGH"]:
             return "High"
-        if upper_value == "LOW":
+        if upper_value in ["LOW", "INFO"]:
             return "Low"
-        if upper_value == "INFO":
-            if "WARNING" == val.upper():
-                return "Medium"
-            if "ERROR" == val.upper() or "HIGH" == val.upper():
-                return "High"
-            if "INFO" == val.upper():
-                return "Info"
         msg = f"Unknown value for severity: {val}"
         raise ValueError(msg)
 
diff --git a/unittests/tools/test_semgrep_parser.py b/unittests/tools/test_semgrep_parser.py
index 8729e4cc00..5517077e97 100644
--- a/unittests/tools/test_semgrep_parser.py
+++ b/unittests/tools/test_semgrep_parser.py
@@ -39,7 +39,7 @@ def test_parse_many_finding(self):
             self.assertEqual('javax crypto Cipher.getInstance("AES/GCM/NoPadding");', finding.mitigation)
             self.assertEqual("java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle", finding.vuln_id_from_tool)
             finding = findings[2]
-            self.assertEqual("Info", finding.severity)
+            self.assertEqual("Low", finding.severity)
             self.assertEqual("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01150.java", finding.file_path)
             self.assertEqual(66, finding.line)
             self.assertEqual(696, finding.cwe)
@@ -96,7 +96,7 @@ def test_parse_cwe_list(self):
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(1, len(findings))
             finding = findings[0]
-            self.assertEqual("Info", finding.severity)
+            self.assertEqual("Low", finding.severity)
             self.assertEqual("index.js", finding.file_path)
             self.assertEqual(12, finding.line)
             self.assertEqual(352, finding.cwe)

From c5c10522c9793f1f3f5248745bcaee41b7cb6a9a Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Mon, 11 Nov 2024 15:50:23 -0600
Subject: [PATCH 09/13] Importers: Force tags to lowercase (#11221)

---
 dojo/importers/options.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dojo/importers/options.py b/dojo/importers/options.py
index f458f2a4f3..d90858e6fd 100644
--- a/dojo/importers/options.py
+++ b/dojo/importers/options.py
@@ -530,13 +530,15 @@ def validate_tags(
         *args: list,
         **kwargs: dict,
     ) -> list:
-        return self.validate(
+        tags = self.validate(
             "tags",
             expected_types=[list],
             required=False,
             default=[],
             **kwargs,
         )
+        # Force all tags to be lowercase
+        return [tag.lower() for tag in tags]
 
     def validate_test(
         self,

From 9b1fd658d6f2736861d489706a8b1a1cb587bf99 Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Tue, 12 Nov 2024 09:53:32 -0600
Subject: [PATCH 10/13] Burp Enterprise: Support newer format (#11220)

* Burp Enterprise: Support newer format

* Forgot partially updated test

* Add other tests

* Correct tests
---
 dojo/settings/.settings.dist.py.sha256sum     |    2 +-
 dojo/settings/settings.dist.py                |    2 +
 dojo/templatetags/display_tags.py             |    7 +-
 dojo/tools/burp_enterprise/parser.py          |  391 +-
 .../many_vulns_updated_format.html            | 7391 +++++++++++++++++
 .../tools/test_burp_enterprise_parser.py      |   39 +-
 6 files changed, 7633 insertions(+), 199 deletions(-)
 create mode 100644 unittests/scans/burp_enterprise/many_vulns_updated_format.html

diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum
index 593f8b129d..59acc056a4 100644
--- a/dojo/settings/.settings.dist.py.sha256sum
+++ b/dojo/settings/.settings.dist.py.sha256sum
@@ -1 +1 @@
-60628ca4667641350d3d1854d1a6f863ce2ddeefa4f6e5df83f7e11a700cde0e
+58e2f6cb0ed2c041fe2741d955b72cb7540bfb0923f489d6324717fcf00039da
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index 2c9ff2c7b9..2571d99b0c 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -1744,6 +1744,8 @@ def saml2_attrib_map_format(dict):
     "ELSA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
     "ELBA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "RXSA": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RXSA-2024:4928
+    "CAPEC": "https://capec.mitre.org/data/definitions/&&.html",  # e.g. https://capec.mitre.org/data/definitions/157.html
+    "CWE": "https://cwe.mitre.org/data/definitions/&&.html",  # e.g. https://cwe.mitre.org/data/definitions/79.html
     "TEMP": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF
 }
 # List of acceptable file types that can be uploaded to a given object via arbitrary file upload
diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py
index 7b634febf6..3fa030d90a 100644
--- a/dojo/templatetags/display_tags.py
+++ b/dojo/templatetags/display_tags.py
@@ -781,7 +781,12 @@ def vulnerability_url(vulnerability_id):
     for key in settings.VULNERABILITY_URLS:
         if vulnerability_id.upper().startswith(key):
             if "&&" in settings.VULNERABILITY_URLS[key]:
-                return settings.VULNERABILITY_URLS[key].split("&&")[0] + str(vulnerability_id) + settings.VULNERABILITY_URLS[key].split("&&")[1]
+                # Process specific keys specially if need
+                if key in ["CAPEC", "CWE"]:
+                    vuln_id = str(vulnerability_id).replace(f"{key}-", "")
+                else:
+                    vuln_id = str(vulnerability_id)
+                return f'{settings.VULNERABILITY_URLS[key].split("&&")[0]}{vuln_id}{settings.VULNERABILITY_URLS[key].split("&&")[1]}'
             return settings.VULNERABILITY_URLS[key] + str(vulnerability_id)
     return ""
 
diff --git a/dojo/tools/burp_enterprise/parser.py b/dojo/tools/burp_enterprise/parser.py
index aab8e56524..052d8a80f8 100644
--- a/dojo/tools/burp_enterprise/parser.py
+++ b/dojo/tools/burp_enterprise/parser.py
@@ -1,7 +1,7 @@
 import logging
 import re
 
-from lxml import etree
+from lxml import etree, html
 
 from dojo.models import Endpoint, Finding
 
@@ -9,6 +9,16 @@
 
 
 class BurpEnterpriseParser:
+    vulnerability_list_xpath = (
+        "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]"
+    )
+    table_contents_xpath = "/html/body/div/div[contains(@class, 'section') and .//table[contains(@class, 'issue-table')]]"
+    description_headers = ["issue detail", "issue description"]
+    request_response_headers = ["request", "response"]
+    impact_headers = ["issue background", "issue remediation"]
+    mitigation_headers = ["remediation detail", "remediation background"]
+    references_headers = ["vulnerability classifications", "references"]
+
     def get_scan_types(self):
         return ["Burp Enterprise Scan"]
 
@@ -19,230 +29,231 @@ def get_description_for_scan_types(self, scan_type):
         return "Import Burp Enterprise Edition findings in HTML format"
 
     def get_findings(self, filename, test):
-        parser = etree.HTMLParser()
-        tree = etree.parse(filename, parser)
+        tree = html.parse(filename)
         if tree:
             return self.get_items(tree, test)
         return ()
 
-    def get_content(self, container):
+    def _get_endpoints_title_severity_mapping(self, tree: etree.ElementTree) -> dict[str, str]:
+        """
+        Construct a dict that contains mappings of endpoints and severities by a a title key.
+
+        Example: {
+            "finding-title": {
+                "title": "finding-title",
+                "severity: "Medium",
+                "cwe": None,
+                "endpoints: [
+                    "http://127.0.0.1/path/A",
+                    "http://127.0.0.1/path/B",
+                ],
+            }
+        }
+        """
+        finding_mapping = {}
+        table_contents = tree.xpath(self.table_contents_xpath)
+        for table in table_contents:
+            # There is only one header in this div, so we will get a string back here
+            base_endpoint = table.xpath("h1")[0].text.replace("Issues found on ", "").removesuffix("/")
+            # Iterate over the table of endpoint paths and severities
+            title = None
+            for entry in table.xpath("table[contains(@class, 'issue-table')]/tbody/tr"):
+                # The etree.element with a class of "issue-type-row" is the title of the finding
+                if "issue-type-row" in entry.classes:
+                    # The structure of this section is consistent
+                    # <tr class="issue-type-row"><td colspan="4">... [number-of-instances]</td></tr>
+                    title = " ".join(entry.xpath("td")[0].text.strip().split(" ")[:-1])
+                    # Add the finding title as a new entry if needed
+                    if title not in finding_mapping:
+                        finding_mapping[title] = {
+                            "title": title,
+                            "severity": None,
+                            "cwe": None,
+                            "endpoints": [],
+                        }
+                else:
+                    # The structure of this section is consistent
+                    # <td class="issue-path issue-link">...</td>
+                    # <td>...</td>
+                    # Quick check to determine if we need to move to the
+                    path = entry.xpath("td")[0].text.strip()
+                    severity = entry.xpath("td")[1].text.strip()
+                    # Update the finding_mapping
+                    finding_mapping[title]["endpoints"].append(f"{base_endpoint}/{path.removeprefix('/')}")
+                    finding_mapping[title]["severity"] = severity
+
+        return finding_mapping
+
+    def _get_content(self, container: etree.Element):
+        # quick exit in case container is not found
         s = ""
+        if container is None or (isinstance(container, list) and len(list) == 0):
+            return s
+        # Do some extra processing as needed
         if (
             container.tag == "div"
             and container.text is not None
             and not container.text.isspace()
             and len(container.text) > 0
         ):
-            s += (
+            s += re.sub(r"[ \t]+", " ", (
                 "".join(container.itertext())
                 .strip()
                 .replace("Snip", "\n<-------------- Snip -------------->")
                 .replace("\t", "")
-            )
+            ))
         else:
             for elem in container.iterchildren():
                 if elem.text is not None and elem.text.strip() != "":
+                    stripped_text = elem.text.strip()
                     if elem.tag == "a":
-                        s += (
-                            "("
-                            + elem.text
-                            + ")["
-                            + elem.attrib["href"]
-                            + "]"
-                            + "\n"
-                        )
+                        value = "[" + stripped_text + "](" + elem.attrib["href"] + ")" + "\n"
                     elif elem.tag == "p":
-                        s += elem.text + "\n"
+                        value = elem.text_content().strip().replace("\n", "")
+                    elif elem.tag == "b":
+                        value = f"**{stripped_text}**"
                     elif elem.tag == "li":
-                        s += "* "
-                        if elem.text is not None:
-                            s += elem.text + "\n"
-                    elif elem.text.isspace():
-                        s += list(elem.itertext())[0]
+                        value = "- "
+                        if stripped_text is not None:
+                            value += stripped_text + "\n"
+                    elif stripped_text.isspace():
+                        value = list(elem.itertext())[0]
                     elif elem.tag == "div" or elem.tag == "span":
-                        s += elem.text.strip() + "\n"
+                        value = elem.text_content().strip().replace("\n", "") + "\n"
                     else:
                         continue
+                    s += re.sub(r"\s+", " ", value)
                 else:
-                    s += self.get_content(elem)
+                    s += self._get_content(elem)
         return s
 
-    # Get the endpoints and severities associated with each vulnerability
-    def pre_allocate_items(self, tree):
-        items = []
-        endpoint_text = tree.xpath(
-            "/html/body/div/div[contains(@class, 'section')]/h1",
-        )
-        severities = tree.xpath(
-            "/html/body/div/div[contains(@class, 'section')]/table[contains(@class, 'issue-table')]/tbody",
-        )
-        endpoint_text = [
-            endpoint
-            for endpoint in endpoint_text
-            if ("Issues found" in "".join(endpoint.itertext()).strip())
-        ]
-
-        for index in range(len(severities)):
-            url = endpoint_text[index].text[16:]
-            sev_table = list(severities[index].iter("tr"))
-
-            title = ""
-            endpoint = ""
-            for item in sev_table:
-                item_list = list(item.iter("td"))
-                if len(item_list) == 1:
-                    title_list = item_list[0].text.strip().split(" ")
-                    title = " ".join(title_list[:-1])
-                else:
-                    endpoint = item_list[0].text.strip()
-                    severity = item_list[1].text.strip()
-                    vuln = {}
-                    vuln["Severity"] = severity
-                    vuln["Title"] = title
-                    vuln["Description"] = ""
-                    vuln["Impact"] = ""
-                    vuln["Mitigation"] = ""
-                    vuln["References"] = ""
-                    vuln["CWE"] = ""
-                    vuln["Response"] = ""
-                    vuln["Request"] = ""
-                    vuln["Endpoint"] = [url + endpoint]
-                    vuln["URL"] = url
-                    items.append(vuln)
-        return items
-
-    def get_items(self, tree, test):
-        # Check that there is at least one vulnerability (the vulnerabilities
-        # table is absent when no vuln are found)
-        vulns = tree.xpath(
-            "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]",
-        )
-        if len(vulns) == 0:
-            return []
-
-        dict_index = 0
-        description = ["Issue detail:", "Issue description"]
-        reqrsp = ["Request", "Response"]
-        impact = ["Issue background", "Issue remediation"]
-        mitigation = ["Remediation detail:", "Remediation background"]
-        references = ["Vulnerability classifications", "References"]
-        vuln = None
-        merge = False
-        items = self.pre_allocate_items(tree)
-        for issue in vulns:
-            elems = list(issue.iterchildren())
-            curr_vuln = items[dict_index]
-            if vuln is None or (
-                curr_vuln["Title"] != vuln["Title"]
-                or curr_vuln["URL"] != vuln["URL"]
-            ):
-                vuln = curr_vuln
-                merge = False
-            else:
-                if curr_vuln["Endpoint"][0] not in vuln["Endpoint"]:
-                    vuln_list = vuln["Endpoint"]
-                    vuln_list.append(curr_vuln["Endpoint"][0])
-                    vuln["Endpoint"] = vuln_list
-                merge = True
-
-            for index in range(3, len(elems), 2):
-                primary, secondary = (
-                    elems[index].text.strip(),
-                    elems[index + 1],
-                )
-                field = self.get_content(secondary)
-                webinfo = primary.split(":")[0]
-                details = "**" + primary + "**\n" + field + "\n\n"
-                # Description
-                if primary in description:
-                    if merge:
-                        if field != vuln["Description"].split("\n")[1]:
-                            vuln["Description"] = (
-                                vuln["Description"] + field + "\n\n"
-                            )
-                    else:
-                        vuln["Description"] = vuln["Description"] + details
-                # Impact
-                if primary in impact and not merge:
-                    vuln["Impact"] = vuln["Impact"] + details
-                # Mitigation
-                if primary in mitigation and not merge:
-                    vuln["Mitigation"] = vuln["Mitigation"] + details
-                # References and CWE
-                if primary in references and not merge:
-                    if len(vuln["CWE"]) < 1 and field.find("CWE") != -1:
-                        vuln["CWE"] += str(self.get_cwe(field))
-                    vuln["References"] = vuln["References"] + details
-                # Request and Response pairs
-                if webinfo in reqrsp:
-                    if webinfo == "Request":
-                        vuln["Request"] = vuln["Request"] + field + "SPLITTER"
+    def _format_bulleted_lists(self, finding_details: dict, div_element: etree.ElementTree) -> tuple[str, list[str]]:
+        """Create a mapping of bulleted lists with links into a formatted list, as well as the raw values."""
+        formatted_string = ""
+        content_list = []
+        for a_tag in div_element.xpath("ul/li/a"):
+            content = re.sub(r"\s+", " ", a_tag.text.strip())
+            link = a_tag.attrib["href"]
+            formatted_string += f"- [{content}]({link})\n"
+            content_list.append(content)
+
+        return formatted_string, content_list
+
+    def _set_or_append_content(self, finding_details: dict, header: str, div_element: etree.ElementTree) -> None:
+        """Determine whether we should set or append content in a given place."""
+        header = header.replace(":", "")
+        field = None
+        # description
+        if header.lower() in self.description_headers:
+            field = "description"
+            content = self._get_content(div_element)
+        elif header.lower() in self.impact_headers:
+            field = "impact"
+            content = self._get_content(div_element)
+        elif header.lower() in self.mitigation_headers:
+            field = "mitigation"
+            content = self._get_content(div_element)
+        elif header.lower() in self.references_headers:
+            field = "references"
+            content, data_list = self._format_bulleted_lists(finding_details, div_element)
+            # process the vulnerability_ids if we have them
+            if header.lower() == "vulnerability classifications":
+                for item in data_list:
+                    cleaned_item = item.split(":")[0]
+                    if (
+                        finding_details["cwe"] is None
+                        and (cwe_search := re.search("CWE-([0-9]*)", cleaned_item, re.IGNORECASE))
+                    ):
+                        finding_details["cwe"] = int(cwe_search.group(1))
+                    if "vulnerability_ids" not in finding_details:
+                        finding_details["vulnerability_ids"] = [cleaned_item]
                     else:
-                        vuln["Response"] = (
-                            vuln["Response"] + field + "SPLITTER"
-                        )
-
-            dict_index += 1
-
-        return list(self.create_findings(items, test))
-
-    def get_cwe(self, vuln_references):
-        # Match only the first CWE!
-        vuln_references = vuln_references.split(":")[0]
-        cweSearch = re.search("CWE-([0-9]*)", vuln_references, re.IGNORECASE)
-        if cweSearch:
-            return cweSearch.group(1)
-        return 0
-
-    def create_findings(self, items, test):
-        # Dictonary to hold the aggregated findings with:
-        #  - key: the concatenated aggregate keys
-        #  - value: the finding
-        dupes = {}
-        for details in items:
-            if details.get("Description") == "":
-                continue
-            aggregateKeys = "{}{}{}{}".format(
-                details.get("Title"),
-                details.get("Description"),
-                details.get("CWE"),
-                details.get("Endpoint"),
-            )
-            detail_cwe = None
-            if details.get("CWE"):
-                detail_cwe = int(details.get("CWE"))
-            find = Finding(
-                title=details.get("Title"),
-                description=details.get("Description"),
+                        finding_details["vulnerability_ids"].append(cleaned_item)
+        elif header.lower() in self.request_response_headers:
+            field = "request_response"
+            content = self._get_content(div_element)
+            if header.lower() == "request":
+                if "requests" not in finding_details:
+                    finding_details["requests"] = [content]
+                else:
+                    finding_details["requests"].append(content)
+            if header.lower() == "response":
+                if "responses" not in finding_details:
+                    finding_details["responses"] = [content]
+                else:
+                    finding_details["responses"].append(content)
+            return
+
+        else:
+            return
+
+        formatted_content = f"**{header}**:\n{content}\n"
+        if (existing_field := finding_details.get(field)) is not None:
+            if header not in existing_field:
+                finding_details[field] += f"{formatted_content}\n---\n"
+        else:
+            finding_details[field] = f"{formatted_content}\n---\n"
+
+    def _parse_elements_by_h3_element(self, issue: etree.Element, finding_details: dict) -> None:
+        for header_element in issue.xpath("h3"):
+            if (div_element := header_element.getnext()) is not None and div_element.tag == "div":
+                # Determine where to put the content
+                self._set_or_append_content(finding_details, header_element.text.strip(), div_element)
+
+    def get_items(self, tree: etree.ElementTree, test):
+        finding_details = self._get_endpoints_title_severity_mapping(tree)
+        for issue in tree.xpath(self.vulnerability_list_xpath):
+            # Get the title of the current finding
+            title = issue.xpath("h2")[0].text.strip()
+            # Fetch the bodies of the issues and process them
+            self._parse_elements_by_h3_element(issue, finding_details[title])
+            # Accommodate a newer format where request/response pairs in a separate div
+            for request_response_div in issue.xpath("div[contains(@class, 'evidence-container')]"):
+                # Fetch the bodies of the issues and process them
+                self._parse_elements_by_h3_element(request_response_div, finding_details[title])
+            # Merge the requests and response into a single dict
+            requests = finding_details[title].pop("requests", [])
+            responses = finding_details[title].pop("responses", [])
+            finding_details[title]["request_response_pairs"] = [
+                {
+                    "request": requests[i] if i < len(requests) else None,
+                    "response": responses[i] if i < len(responses) else None,
+                }
+                for i in range(max(len(requests), len(responses)))
+            ]
+
+        return list(self.create_findings(finding_details, test))
+
+    def create_findings(self, findings_dict: dict[str, dict], test):
+        # Pop off a few items to be processes after the finding is saved
+        findings = []
+        for finding_dict in findings_dict.values():
+            endpoints = finding_dict.pop("endpoints", [])
+            request_response_pairs = finding_dict.pop("request_response_pairs", [])
+            vulnerability_ids = finding_dict.pop("vulnerability_ids", [])
+            # Crete the finding from the rest of the dict
+            finding = Finding(
                 test=test,
-                severity=details.get("Severity"),
-                mitigation=details.get("Mitigation"),
-                references=details.get("References"),
-                impact=details.get("Impact"),
-                cwe=detail_cwe,
                 false_p=False,
                 duplicate=False,
                 out_of_scope=False,
                 mitigated=None,
                 static_finding=False,
                 dynamic_finding=True,
-                nb_occurences=1,
+                **finding_dict,
             )
+            # Add the unsaved versions of the other things
+            # Endpoints
+            finding.unsaved_endpoints = [Endpoint.from_uri(endpoint) for endpoint in endpoints]
+            # Request Response Pairs
 
-            if len(details.get("Request")) > 0:
-                requests = details.get("Request").split("SPLITTER")[:-1]
-                responses = details.get("Response").split("SPLITTER")[:-1]
-                unsaved_req_resp = []
-                for index in range(len(requests)):
-                    unsaved_req_resp.append(
-                        {"req": requests[index], "resp": responses[index]},
-                    )
-                find.unsaved_req_resp = unsaved_req_resp
-
-            find.unsaved_endpoints = []
-            dupes[aggregateKeys] = find
-
-            for url in details.get("Endpoint"):
-                find.unsaved_endpoints.append(Endpoint.from_uri(url))
+            finding.unsaved_req_resp = [
+                {"req": request_response.get("request"), "resp": request_response.get("response")}
+                for request_response in request_response_pairs
+            ]
+            # Vulnerability IDs
+            finding.unsaved_vulnerability_ids = vulnerability_ids
+            # Add the finding to the final list
+            findings.append(finding)
 
-        return list(dupes.values())
+        return findings
diff --git a/unittests/scans/burp_enterprise/many_vulns_updated_format.html b/unittests/scans/burp_enterprise/many_vulns_updated_format.html
new file mode 100644
index 0000000000..614ac1413b
--- /dev/null
+++ b/unittests/scans/burp_enterprise/many_vulns_updated_format.html
@@ -0,0 +1,7391 @@
+<html>
+
+<head>
+    <title>Scan Remediation Report #150</title>
+    <meta http-equiv="Content-Security-Policy"
+        content="default-src 'none'; img-src data:; style-src 'nonce-NzgzZDYzOWMtYzNiZi00OTVlLWEyZWQtMzkyMWRmYWVhYmNm'; base-uri 'none';">
+    <style nonce="NzgzZDYzOWMtYzNiZi00OTVlLWEyZWQtMzkyMWRmYWVhYmNm">
+        body {
+            font-family: 'Roboto', Helvetica, Arial, sans-serif;
+            color: #4d5155;
+            -webkit-font-smoothing: antialiased;
+            font-size: 14px;
+            background-color: #F7F9FD;
+        }
+
+        .report {
+            width: 712px;
+            margin: 0 auto;
+            position: relative;
+            background-color: white;
+            border-left: 60px solid white;
+            border-right: 60px solid white;
+            border-top: 20px solid white;
+            border-bottom: 20px solid white;
+        }
+
+        .header {
+            height: 150px;
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            border-bottom: 1px solid #0094FF;
+        }
+
+        .header h1 {
+            font-size: 44px;
+            color: #333332;
+        }
+
+        .header h2 {
+            font-size: 26px;
+            color: #333332;
+        }
+
+        .line {
+            border-left: 16px solid #0094FF;
+            height: 150px;
+            width: 24px;
+            position: absolute;
+            left: -40px;
+            float: left;
+        }
+
+        .section {
+            width: 100%;
+            margin-top: 50px;
+        }
+
+        .section.no-margin {
+            margin-top: 10px;
+        }
+
+        .label {
+            white-space: nowrap;
+            color: #8c8d8e;
+            margin-top: 30px;
+        }
+
+        .label:first-child {
+            margin-top: 0px;
+        }
+
+        .divider {
+            border-bottom: 1px solid #0094FF;
+        }
+
+        .title h1 {
+            color: #ffffff;
+            padding: 10px 15px;
+            margin: 0;
+            font-size: 1.8em;
+        }
+
+        .title img {
+            display: inline
+        }
+
+        table {
+            line-height: 20px;
+        }
+
+        h1 {
+            color: #333332;
+            font-size: 24px;
+            font-weight: bold;
+            margin-bottom: 20px;
+        }
+
+        h2 {
+            color: #333332;
+            font-size: 18px;
+            font-weight: normal;
+            margin-top: 0;
+            margin-bottom: 20px;
+        }
+
+        a {
+            color: #ff6633;
+            text-decoration: none;
+        }
+
+        .column-table .value.warning {
+            color: #ff6633;
+            font-size: 12px;
+        }
+
+        .column-table .value.error {
+            color: #f32a4c;
+            font-size: 12px;
+        }
+
+        .info-table {
+            margin-right: 50px;
+        }
+
+        .info-table td {
+            padding: 3px 3px 3px 0;
+            border-bottom: 1px solid #ebf0f2;
+            vertical-align: top;
+            overflow-wrap: break-word;
+            word-break: break-all;
+        }
+
+        .info-table td+td {
+            margin: 20px
+        }
+
+        .info-table .name {
+            width: 200px;
+            white-space: nowrap;
+            color: #8c8d8e;
+        }
+
+        .info-table .value {
+            text-align: right;
+        }
+
+        .issue-table {
+            border-collapse: collapse;
+            margin-top: 30px;
+        }
+
+        .issue-table thead th {
+            white-space: nowrap;
+        }
+
+        .issue-table tr {
+            border: 0;
+            border-bottom: 1px solid #8c8d8e;
+        }
+
+        .issue-table tr.issue-type-row {
+            font-weight: bold;
+            border-bottom: 0;
+        }
+
+        .issue-table tr th {
+            text-align: left;
+            padding-bottom: 8px;
+            padding-right: 8px;
+            width: 98%;
+        }
+
+        .issue-table tr .issue-path {
+            word-wrap: break-word;
+            max-width: 700px;
+            text-align: left;
+            padding-bottom: 8px;
+            padding-right: 8px;
+            width: 98%;
+        }
+
+        .issue-table td {
+            padding-right: 8px;
+        }
+
+        .issue-table td.nowrap {
+            white-space: nowrap;
+        }
+
+        .column-table {
+            width: 100%;
+        }
+
+        .column-table>tbody>tr>td {
+            width: 50%;
+            vertical-align: top;
+        }
+
+        .column-table>tbody>tr>td>.value {
+            display: flex;
+        }
+
+        .user-icon {
+            padding-right: 6px;
+        }
+
+        .recorded-icon {
+            padding-right: 10px;
+        }
+
+        .url {
+            word-break: break-all;
+        }
+
+        .section.details h1 {
+            margin-bottom: 30px;
+        }
+
+        .section.details h2 {
+            font-size: 14px;
+            font-weight: bold;
+            color: #4d5155;
+            margin: 0;
+        }
+
+        .section.details h3 {
+            font-size: 14px;
+            font-weight: normal;
+            color: #8c8d8e;
+            margin-top: 30px;
+            margin-bottom: 20px;
+        }
+
+        .center {
+            text-align: center;
+        }
+
+        .no-bullets ul {
+            list-style: none;
+            padding-left: 0;
+        }
+
+        .issue-container {
+            margin-bottom: 30px;
+        }
+
+        .standalone-section {
+            break-before: page;
+        }
+
+        .issue-type-container .issue-container {
+            break-before: page;
+        }
+
+        .standalone-section+.issue-type-container .issue-container:first-child {
+            break-before: avoid;
+        }
+
+        @media print {
+            body {
+                color: #000000;
+                position: relative;
+            }
+
+            .report {
+                width: calc(100% - 80px);
+            }
+
+            h1,
+            h2,
+            a {
+                color: #000000;
+            }
+
+            .no-print {
+                display: none;
+            }
+        }
+
+        .request-response {
+            overflow: auto;
+            border-radius: 7px;
+            border: 1px solid #dce3e5;
+            padding: 8px;
+            color: #000000;
+        }
+
+        .request-response .highlight {
+            background-color: rgba(255, 102, 51, 0.4);
+        }
+
+        .request-response,
+        .code,
+        pre {
+            font-family: "Courier New", Courier, monospace;
+            line-height: 16px;
+            word-break: break-all;
+            white-space: pre-wrap;
+        }
+
+        .request-response .snip {
+            margin-top: 20px;
+            margin-bottom: 20px;
+            position: relative;
+            border-top: 1px dashed #cbd0d1;
+        }
+
+        .request-response .snip>span {
+            position: absolute;
+            top: -13px;
+            display: inline-block;
+            width: 100%;
+            text-align: center;
+        }
+
+        .request-response .snip>span>span {
+            color: #8c8d8e;
+            padding: 0 8px;
+            background-color: #ffffff;
+        }
+
+        .evidence-container {
+            break-inside: avoid;
+        }
+    </style>
+</head>
+
+<body>
+
+    <div class="report">
+        <div class="line"></div>
+
+        <div class="header">
+            <div class="text">
+                <h1>Scan Remediation</h1>
+                <h2>Report</h2>
+            </div>
+            <img src='data:image/svg+xml;base64,PHN2ZyBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAgMCAyNzYgODkiIHZpZXdCb3g9IjAgMCAyNzYgODkiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHBhdGggZD0ibTE0OS42IDEyLjJjMi45IDAgNS40IDEgNyAyLjUgMi44IDIuOCAzLjIgNy40IDMuMiAxMi4xcy0uNSA5LjMtMy4yIDEyLjJjLTEuNiAxLjYtNCAyLjUtNyAyLjUtMy4xIDAtNS40LS43LTcuNS0zLjN2MTQuNWgtNS44di00MC4xaDUuN3YzLjFjMi4yLTIuNyA0LjYtMy41IDcuNi0zLjV6bS01Ny4zLjR2MTcuNGMwIDQuNSAyLjUgNi40IDUuOCA2LjQgMy4yIDAgNS45LTIgNS45LTYuNHYtMTcuNGg1Ljh2MjguN2gtNS42di0yLjljLTIgMi4xLTQuOCAzLjMtNy42IDMuMi0yLjYuMS01LjItLjktNy4xLTIuNi0yLjItMi4xLTIuOS00LjktMi45LTguMXYtMTguM3ptMTEyLjMgMHYxNy40YzAgNC41IDIuNSA2LjQgNS44IDYuNCAzLjIgMCA1LjktMiA1LjktNi40di0xNy40aDUuOHYyOC43aC01LjZ2LTIuOWMtMiAyLjEtNC44IDMuMy03LjYgMy4yLTIuNi4xLTUuMi0uOS03LjEtMi42LTIuMi0yLjEtMi45LTQuOS0yLjktOC4xdi0xOC4zem0tMjIuNy0xMmM1LjQgMCA5LjEgMS40IDEyLjUgNC42bC0zLjkgMy44Yy0yLjUtMi40LTUuNC0zLjEtOC45LTMuMS00LjggMC03LjMgMi42LTcuMyA2LjMtLjEgMS40LjQgMi44IDEuNSAzLjcgMSAuOSAyLjIgMS41IDQuNCAxLjhsNC44LjdjMy43LjYgNS43IDEuNCA3LjUgMyAyLjIgMiAzLjMgNC43IDMuMyA4LjMgMCA3LjQtNiAxMS44LTE0LjUgMTEuOC02LjEgMC0xMC40LTEuNC0xNC4zLTUuM2w0LTRjMi45IDIuOSA2LjMgMy45IDEwLjQgMy45IDUuMyAwIDguMy0yLjMgOC4zLTYuMiAwLTEuOC0uNS0zLjItMS42LTQuMi0xLS45LTIuNC0xLjQtNC40LTEuN2wtNC44LS43Yy0zLjMtLjUtNS44LTEuNS03LjYtMy4yLTItMS44LTMtNC40LTMtNy44LjEtNi45IDUuMi0xMS43IDEzLjYtMTEuN3ptODEuMiAxMS42YzcuNyAwIDEyLjIgNS41IDEyLjIgMTMuOXYyLjRoLTE4LjZjMCA1IDIuNSA4IDcuMyA4IDMuMiAwIDQuOS0uOSA3LTIuOWwzLjcgMy41Yy0zIDIuOS01LjcgNC41LTEwLjggNC41LTcuMiAwLTEyLjktMy44LTEyLjktMTQuNy0uMS05LjQgNC43LTE0LjcgMTIuMS0xNC43em0tMzAuNC40djI4LjdoLTUuOHYtMjguN3ptLTE2Mi42LTExLjZjNy41IDAgMTIuMiA0LjIgMTIuMiAxMSAuMSAzLjctMi4xIDcuMS01LjQgOC41IDMuMSAxLjIgNi4xIDQuMiA2LjEgOS4zIDAgNy40LTUgMTEuNC0xMi4yIDExLjRoLTE2LjR2LTQwLjJ6bTY0LjYgMTMuOS00LjQgNC40Yy0xLjMtMS4zLTIuMy0xLjktNC4zLTEuOS0zLjEgMC01LjcgMi41LTUuNyA2LjV2MTcuNGgtNS44di0yOC43aDUuN3YzLjFjMS41LTIgNC40LTMuNCA3LjYtMy40IDIuNy0uMiA1LjIuOCA2LjkgMi42em0xMDkuNS0xMC41djguMmg1LjZ2NC40aC01LjZ2MTZjMCAyLjEgMSAzLjMgMy4yIDMuM2gyLjR2NC45aC0zLjVjLTUuNCAwLTcuOS0zLjgtNy45LTh2LTE2LjJoLTMuM3YtNC40aDMuM3YtOC4yem0tOTYuMSAxM2MtNS4zIDAtNiA0LjQtNiA5LjVzLjcgOS42IDYgOS42IDUuOS00LjUgNS45LTkuNi0uNi05LjUtNS45LTkuNXptLTc3LjkgNi4xaC05LjZ2MTIuM2g5LjZjNC4yIDAgNi42LTIuNiA2LjYtNi4ycy0yLjQtNi4xLTYuNi02LjF6bTE5Mi44LTYuNWMtMi40IDAtNC43IDEuNC01LjcgMy42LS41IDEuMi0uOCAyLjUtLjcgMy45aDEyLjljMC0xLjMtLjMtMi43LS44LTMuOS0xLTIuMS0zLjItMy42LTUuNy0zLjZ6bS0xOTMuNC0xMC41aC05LjF2MTEuNWg5LjFjMy45IDAgNi42LTIgNi42LTUuOCAwLTMuNy0yLjctNS43LTYuNi01Ljd6bTE2My4zLTUuN3Y2LjFoLTYuMXYtNi4xeiIgZmlsbD0iIzAwMDAyMyIvPjxwYXRoIGQ9Im00MS42LjhoLTQwLjd2NDAuN2g0MC43eiIgZmlsbD0iIzAwOTRmZiIvPjxwYXRoIGQ9Im0yMi44IDM1LjhoLTMuMnYtNC43bDQuMy01LjJoLTQuM3YtNi40aC03LjZsNy43LTkuNXYtMy42aDMuMnY0LjdsLTQuMyA1LjJoNC4zdjYuNGg3LjdsLTcuNyA5LjV2My42eiIgZmlsbD0iI2ZmZiIvPjxwYXRoIGQ9Im0xMjQuMSA2Ni40YzEuMy0uMSAyLjcuNCAzLjcgMS4zIDEuNSAxLjUgMS45IDQgMS45IDYuM3MtLjQgNC44LTEuOSA2LjNjLTEgLjktMi4zIDEuNC0zLjcgMS4zLTEuNy4xLTMuNC0uNy00LjQtMi4xdjloLTEuNnYtMjJoMS42djEuOWMxLTEuNCAyLjctMi4yIDQuNC0yem0tMjYuMSAwYzMuNyAwIDYgMi43IDYgNy4zdi43aC0xMC40YzAgMy44IDEuNyA1LjkgNC45IDUuOSAxLjYuMSAzLjEtLjYgNC4xLTEuOGwxLjIuOWMtMS40IDEuNS0zLjMgMi40LTUuNCAyLjMtNC4xIDAtNi40LTIuNi02LjQtNy42IDAtNC45IDIuMi03LjcgNi03Ljd6bTcwLjEgMGMzLjggMCA2IDIuNyA2IDcuM3YuN2gtMTAuNGMwIDMuOCAxLjcgNS45IDQuOSA1LjkgMS42LjEgMy4xLS42IDQuMS0xLjhsMS4yLjljLTEuNCAxLjUtMy4zIDIuNC01LjQgMi4zLTQuMSAwLTYuNC0yLjYtNi40LTcuNiAwLTQuOSAyLjItNy43IDYtNy43em00Mi4xLTd2MjJoLTEuNnYtMS45Yy0xIDEuNC0yLjcgMi4yLTQuNCAyLjEtMS4zLjEtMi43LS40LTMuNy0xLjMtMS41LTEuNS0xLjktNC0xLjktNi4zIDAtMi40LjQtNC44IDEuOS02LjMgMS0uOSAyLjMtMS40IDMuNy0xLjMgMS43LS4xIDMuNC43IDQuNCAyLjF2LTloMS42em0tNTAuOSA4LjUtMS4xIDEuMWMtMS4yLS45LTIuNy0xLjMtNC4yLTEuMy0yLjUgMC0zLjggMS0zLjggMi45IDAgMS42LjkgMi4zIDMgMi41bDIuNC4yYzIuNS4yIDQuNCAxIDQuNCAzLjkgMCAyLjctMi4zIDQuNC02IDQuNC0yLjYgMC00LjUtLjctNi4xLTIuMWwxLjEtMS4xYzEuMyAxLjMgMy4xIDEuOSA0LjkgMS44IDIuOSAwIDQuNS0xIDQuNS0zIDAtMS42LS45LTIuMy0yLjktMi41bC0yLjUtLjJjLTMtLjItNC41LTEuNS00LjUtMy45IDAtMi42IDIuMS00LjIgNS40LTQuMiAyLS4xIDMuOS41IDUuNCAxLjV6bTgyLjcuMWMxLjYgMS42IDEuOSAzLjkgMS45IDZzLS4zIDQuNC0xLjkgNmMtMi4zIDIuMi02IDIuMi04LjMgMC0xLjYtMS42LTEuOS0zLjktMS45LTZzLjMtNC40IDEuOS02YzIuMy0yLjIgNS45LTIuMiA4LjMgMHptLTEyNS42LS4yLTEuMSAxLjFjLS43LS44LTEuNy0xLjItMi44LTEuMi0yLjYgMC00IDIuMS00IDQuNXY5LjJoLTEuNnYtMTQuOGgxLjZ2MmMxLTEuNCAyLjYtMi4yIDQuNC0yLjIgMS4yLS4xIDIuNS40IDMuNSAxLjR6bTI1LjkgMC0xLjEgMS4xYy0uNy0uOC0xLjctMS4yLTIuOC0xLjItMi42IDAtNCAyLjEtNCA0LjV2OS4yaC0xLjZ2LTE0LjhoMS42djJjMS0xLjQgMi42LTIuMiA0LjQtMi4yIDEuMy0uMSAyLjYuNCAzLjUgMS40em0xMTIuNC0xLjRjMi4zLjggMy44IDMuMSAzLjYgNS41djkuNWgtMS42di05LjNjMC0yLjktMS40LTQuNS00LjEtNC41cy00LjIgMS42LTQuMiA0LjV2OS4zaC0xLjZ2LTE0LjloMS42djEuOGMxLjUtMS45IDQtMi43IDYuMy0xLjl6bS01Ny43LTd2MS41aC0xMS43djguN2gxMHYxLjVoLTEwdjguOWgxMS43djEuNWgtMTMuNHYtMjJoMTMuNHptMjQuNCAyLjR2NC44aDMuNHYxLjJoLTMuNHY5LjljMCAxLjYuNyAyLjUgMi4zIDIuNWgxLjF2MS40aC0xLjRjLTIuNCAwLTMuNi0xLjYtMy42LTMuOXYtOS45aC0ydi0xLjJoMnYtNC44em0tMTQyLjkgNC43YzIuMy44IDMuOCAzLjEgMy42IDUuNXY5LjVoLTEuNnYtOS4zYzAtMi45LTEuNC00LjUtNC4xLTQuNXMtNC4yIDEuNi00LjIgNC41djkuM2gtMS42di0xNWgxLjZ2MS44YzEuNS0xLjkgNC0yLjcgNi4zLTEuOHptLTEwLjYtNy4xdjEuNWgtMTEuN3Y4LjdoMTB2MS41aC0xMHY4LjloMTEuN3YxLjVoLTEzLjR2LTIyaDEzLjR6bTE0Ny42IDcuMXYxNC45aC0xLjZ2LTE0Ljl6bS0xMjguMS00Ljd2NC44aDMuNHYxLjJoLTMuNHY5LjljMCAxLjYuNyAyLjUgMi4zIDIuNWgxLjF2MS40aC0xLjRjLTIuNCAwLTMuNi0xLjYtMy42LTMuOXYtOS45aC0ydi0xLjJoMnYtNC44em01OC4zIDQuN3YxNC45aC0xLjZ2LTE0Ljl6bTgzLjEgMHYxNC45aC0xLjZ2LTE0Ljl6bTUuOSAyLjVjLTEuMiAxLjItMS4zIDMuMS0xLjMgNC44di4yYzAgMS43LjEgMy43IDEuMyA1IDEuNyAxLjcgNC41IDEuNyA2LjIgMCAxLjItMS4yIDEuMy0zLjEgMS4zLTQuOHYtLjJjMC0xLjctLjEtMy43LTEuMy01LTEuNy0xLjctNC41LTEuNy02LjIgMHptLTMwLjMtMS4yYy0zLjcgMC00LjIgMy4yLTQuMiA2LjNzLjYgNi4zIDQuMiA2LjNjMy43IDAgNC4yLTMuMiA0LjItNi4zcy0uNi02LjMtNC4yLTYuM3ptLTgwLjUgMGMtMy43IDAtNC4yIDMuMi00LjIgNi4zcy42IDYuMyA0LjIgNi4zIDQuMi0zIDQuMi02LjF2LS4yYzAtMy4yLS41LTYuMy00LjItNi4zem00NC4yIDBjLTEuNyAwLTMuMiAxLTMuOSAyLjUtLjQuOS0uNiAxLjktLjUgMi44aDguOGMwLTEtLjItMS45LS41LTIuOC0uNy0xLjYtMi4yLTIuNi0zLjktMi41em0tNzAuMSAwYy0xLjcgMC0zLjIgMS0zLjkgMi41LS40LjktLjYgMS45LS41IDIuOGg4LjhjMC0xLS4yLTEuOS0uNS0yLjgtLjctMS42LTIuMi0yLjYtMy45LTIuNXptNDcuOS04LjR2MmgtMnYtMnptNjkuOCAwdjJoLTJ2LTJ6bTEzLjMgMHYyaC0ydi0yeiIgZmlsbD0iIzAwOTRmZiIvPjwvc3ZnPg=='
+                width="210" height="60" />
+        </div>
+
+        <div class="section no-margin">
+            <span class="label">Generated by Burp Suite Enterprise Edition | 2024-11-06 12:41 PM</span>
+        </div>
+
+        <div class="section">
+            <table class="column-table">
+                <tbody>
+                    <tr>
+                        <td>
+                            <div class="label">Site name:</div>
+                            <div class="value">m</div>
+                            <div class="label">Scanned:</div>
+                            <table>
+                                <tbody>
+                                    <tr>
+                                        <td>
+                                            <div class="value">Start:</div>
+                                        </td>
+                                        <td>
+                                            <div class="value">2024-11-05 4:59 PM</div>
+                                        </td>
+                                    </tr>
+                                    <tr>
+                                        <td>
+                                            <div class="value">End:</div>
+                                        </td>
+                                        <td>
+                                            <div class="value">2024-11-05 5:13 PM</div>
+                                        </td>
+                                    </tr>
+                                </tbody>
+                            </table>
+                            <div class="label">Duration:</div>
+                            <div class="value">13m 53s</div>
+                            <div class="label">Status:</div>
+                            <div class="value">Completed</div>
+                        </td>
+                        <td>
+                            <div class="label">Start URLs:</div>
+                            <div class="value url">https://instance.example.com/fe/m3/m-login</div>
+
+                            <div class="label">In-scope URL prefixes:</div>
+                            <div class="value url">https://instance.example.com/fe/m3/</div>
+                            <div class="value url">https://instance.example.com/m/v3/</div>
+
+                            <div class="label">Application logins:</div>
+                            <div class="value"> <img
+                                    src='data:image/svg+xml;base64,PHN2ZyBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAgMCAxNyAxNyIgdmlld0JveD0iMCAwIDE3IDE3IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICAgPGcgY2xpcC1ydWxlPSJldmVub2RkIiBmaWxsPSIjMzMzMzMyIiBmaWxsLXJ1bGU9ImV2ZW5vZGQiPgogICAgICAgIDxwYXRoIGQ9Im0xNS4zIDYuMS0yLjMgMS4zYy0uMS0uOS0uOC0xLjUtMS43LTEuNWgtLjJjLjQtLjUuNy0xLjIuNy0yIDAtMS44LTEuNC0zLjItMy4yLTMuMi0xLjIgMC0yLjMuNy0yLjggMS44LS40LS4zLS45LS41LTEuNC0uNS0xLjQgMC0yLjUgMS4xLTIuNSAyLjUgMCAuNS4xLjkuNCAxLjMtLjkuMS0xLjYuOC0xLjYgMS43djUuMWMwIC45LjggMS43IDEuNyAxLjdoOWMuNyAwIDEuNC0uNSAxLjYtMS4xbDIuNS45Yy41LjIuOS0uMi45LS43di02LjdjLS4xLS41LS42LS44LTEuMS0uNnptLTYuNi00YzEgMCAxLjguOCAxLjggMS44cy0uOCAxLjgtMS44IDEuOC0xLjgtLjgtMS44LTEuOC44LTEuOCAxLjgtMS44em0tNC4zIDEuM2MuNiAwIDEuMS41IDEuMSAxLjFzLS41IDEuMS0xLjEgMS4xLTEuMS0uNS0xLjEtMS4xLjUtMS4xIDEuMS0xLjF6bTcuMyA5LjJjMCAuMi0uMS4zLS4zLjNoLTljLS4yIDAtLjMtLjEtLjMtLjN2LTUuMWMwLS4yLjEtLjMuMy0uM2g5Yy4yIDAgLjMuMS4zLjN6bTMuMi0uMi0xLjUtLjV2LTMuMWwxLjUtLjh6Ii8+CiAgICAgICAgPHBhdGggZD0ibTkuOSA5LjRoLTYtLjFjLS4zIDAtLjYuMy0uNi43cy4zLjcuNy43aDYgLjFjLjMgMCAuNi0uMy42LS43cy0uNC0uNy0uNy0uN3oiLz4KICAgIDwvZz4KPC9zdmc+'
+                                    width="22" height="22" class="recorded-icon" /> DEMOMX m login only (no clerk)</div>
+
+                            <div class="label">Reference:</div>
+
+                            <div class="value">
+                                #150
+                            </div>
+                        </td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+
+        <div class="section">
+            <table class="column-table">
+                <tbody>
+                    <tr>
+                        <td>
+                            <h2>Issues by severity</h2>
+                            <table class="info-table">
+                                <tbody>
+                                    <tr>
+                                        <td class="name">High:</td>
+                                        <td class="value">0</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Medium:</td>
+                                        <td class="value">0</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Low:</td>
+                                        <td class="value">11</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Information:</td>
+                                        <td class="value">44</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Total issues found:</td>
+                                        <td class="value">55</td>
+                                    </tr>
+                                </tbody>
+                            </table>
+                        </td>
+                        <td>
+                            <h2>Scan statistics</h2>
+                            <table class="info-table">
+                                <tbody>
+                                    <tr>
+                                        <td class="name">Discovered URLs:</td>
+                                        <td class="value">44</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Audited URLs without errors:</td>
+                                        <td class="value">9</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Audited URLs with errors:</td>
+                                        <td class="value">1</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Requests made:</td>
+                                        <td class="value">12354</td>
+                                    </tr>
+                                    <tr>
+                                        <td class="name">Network errors:</td>
+                                        <td class="value">28</td>
+                                    </tr>
+                                </tbody>
+                            </table>
+                        </td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+
+        <div class="section divider"></div>
+
+        <div class="section standalone-section">
+            <h1>Issues found on https://instance.example.com</h1>
+
+            <table class='issue-table'>
+                <thead>
+                    <tr>
+                        <th>URLs By issue type</th>
+                        <th>Severity</th>
+                        <th>Confidence</th>
+                        <th class="no-print">More detail</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Strict transport security not enforced [7]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#7459896704422157312">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/action-log
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#2208045381316932608">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/event-log
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3310329974499847168">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/login-m-by-name
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8930014484270623744">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/request-m-password-reset
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5267572311222231040">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8897869992152202240">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations/locales
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#2544375508483323904">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Open redirection (DOM-based) [4]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Tentative</td>
+                        <td class="nowrap center no-print"><a href="#6674428486008773632">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Tentative</td>
+                        <td class="nowrap center no-print"><a href="#8308469567087165440">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Tentative</td>
+                        <td class="nowrap center no-print"><a href="#6741367401146747904">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Low</td>
+                        <td class="nowrap">Tentative</td>
+                        <td class="nowrap center no-print"><a href="#6267850805052795904">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">TLS certificate [1]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3527817892229159936">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Content security policy: allows untrusted script execution [7]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5259898011373310976">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/action-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#4657103024505977856">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/event-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#902521611952553984">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/login-m-by-name
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#6264510907054532608">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/request-m-password-reset
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#1529192591484086272">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3808026467961441280">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations/locales
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#4466300982206924800">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Content security policy: allows untrusted style execution [7]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#2695716473583569920">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/action-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#1298103128246460416">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/event-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#2014798415321718784">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/login-m-by-name
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#1922984841418255360">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/request-m-password-reset
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8450741944245941248">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3555706921975993344">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations/locales
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#2057881140009319424">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Content security policy: allows form hijacking [7]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8357691155950076928">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/action-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#4549316367934383104">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/event-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#6701390394372629504">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/login-m-by-name
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5123150992306434048">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/request-m-password-reset
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#6598663798538817536">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#7695309936584174592">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations/locales
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3054733144918620160">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Cross-origin resource sharing [6]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/action-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8763174910093391872">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/event-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5925852801819709440">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/login-m-by-name
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5857278075795971072">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/request-m-password-reset
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#1427808413525564416">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8711212538224995328">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations/locales
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5779334575193283584">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Cross-origin resource sharing: arbitrary origin trusted [6]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/action-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8820756364458124288">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/event-log
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#530498929544584192">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/login-m-by-name
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#5900011248769263616">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/actions/request-m-password-reset
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#1161946040846946304">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8827647893815513088">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /m/v3/translations/locales
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3408790232388447232">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Robots.txt file [1]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /robots.txt
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#1403797905824836608">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Cacheable HTTPS response [1]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#8892116954353746944">&gt;&gt;</a></td>
+                    </tr>
+                    <tr class="issue-type-row">
+                        <td colspan="4">DOM data manipulation (DOM-based) [6]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Firm</td>
+                        <td class="nowrap center no-print"><a href="#5632626482916889600">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Firm</td>
+                        <td class="nowrap center no-print"><a href="#2020756852015877120">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Firm</td>
+                        <td class="nowrap center no-print"><a href="#547516727130662912">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Firm</td>
+                        <td class="nowrap center no-print"><a href="#3668057833940777984">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Firm</td>
+                        <td class="nowrap center no-print"><a href="#7064533534944179200">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Firm</td>
+                        <td class="nowrap center no-print"><a href="#7933681146442143744">&gt;&gt;</a></td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+        <div class="section divider"></div>
+
+        <div class="section standalone-section">
+            <h1>Issues found on http://instance.example.com</h1>
+
+            <table class='issue-table'>
+                <thead>
+                    <tr>
+                        <th>URLs By issue type</th>
+                        <th>Severity</th>
+                        <th>Confidence</th>
+                        <th class="no-print">More detail</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    <tr class="issue-type-row">
+                        <td colspan="4">Input returned in response (reflected) [2]</td>
+                    </tr>
+
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#3588084604190000128">&gt;&gt;</a></td>
+                    </tr>
+                    <tr>
+                        <td class="issue-path issue-link">
+                            /fe/m3/m-login
+                        </td>
+                        <td>Info</td>
+                        <td class="nowrap">Certain</td>
+                        <td class="nowrap center no-print"><a href="#6924794329102809088">&gt;&gt;</a></td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+
+        <div class="section divider"></div>
+
+        <div class="section details standalone-section">
+            <h1>More details for https://instance.example.com</h1>
+        </div>
+
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="7459896704422157312"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="2208045381316932608"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/m/v3/actions/action-log</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 118
+
+                        {&quot;name&quot;:&quot;mLoginAttempt&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;,&quot;mName&quot;:&quot;&quot;}}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:46 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="3310329974499847168"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/m/v3/actions/event-log</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 279
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843990,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
+                        <div class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:50 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="8930014484270623744"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/m/v3/actions/login-m-by-name</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Authorization: Bearer undefined
+                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 33
+
+                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:46 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="5267572311222231040"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/m/v3/actions/request-m-password-reset</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/request-reset-password
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 94
+
+                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:36 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="8897869992152202240"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/m/v3/translations</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:39 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="2544375508483323904"></a>
+                <h2>Strict transport security not enforced</h2>
+                <a href="">/m/v3/translations/locales</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
+                        attacker able to modify a legitimate user's network traffic could bypass the application's use
+                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
+                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
+                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
+                        sslstrip tool automates this process. </p>
+                    <p>
+                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
+                        the victim's network traffic.This scenario typically occurs when a client communicates with the
+                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
+                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
+                        to prevent this. An attacker situated in the user's ISP or the application's hosting
+                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
+                        target any connection made over the Internet's core infrastructure. </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
+                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
+                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
+                        seconds that browsers should remember that the site should only be accessed using HTTPS.
+                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
+                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
+                        accessed the application will never have seen the HSTS header, and will therefore still be
+                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
+                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
+                                Strict Transport Security</a></li>
+                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
+                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
+                                Credentials</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
+                                Attack</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:24 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="6674428486008773632"></a>
+                <h2>Open redirection (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based open redirection. Data is read from
+                    <b>location.href</b> and passed to <b>xhr.send</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+
+                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
+                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
+                        URL that, if visited by another application user, will cause a redirection to an arbitrary
+                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
+                        the application. The ability to use an authentic application URL, targeting the correct domain
+                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
+                        because many users, even if they verify these features, will not notice the subsequent
+                        redirection to a different domain.</p>
+                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
+                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
+                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
+                        script code when the URL is processed by the browser.</p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
+                        set redirection targets using data that originated from any untrusted source. If the desired
+                        functionality of the application means that this behavior is unavoidable, then defenses must be
+                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
+                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
+                        are permitted redirection targets, and strictly validating the target against this list before
+                        performing the redirection.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
+                                Academy: Open redirection (DOM-based)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
+                                Untrusted Site ('Open Redirect')</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.href</b> and passed to <b>xhr.send</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/&gt;&lt;iepuap2p8w/\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/&gt;&lt;iepuap2p8w/\&gt;fwqsx8nplw&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get href (&lt;anonymous&gt;:1:249544)
+at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
+at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
+at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
+at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="8308469567087165440"></a>
+                <h2>Open redirection (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based open redirection. Data is read from
+                    <b>location.search</b> and passed to <b>xhr.send</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+
+                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
+                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
+                        URL that, if visited by another application user, will cause a redirection to an arbitrary
+                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
+                        the application. The ability to use an authentic application URL, targeting the correct domain
+                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
+                        because many users, even if they verify these features, will not notice the subsequent
+                        redirection to a different domain.</p>
+                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
+                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
+                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
+                        script code when the URL is processed by the browser.</p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
+                        set redirection targets using data that originated from any untrusted source. If the desired
+                        functionality of the application means that this behavior is unavoidable, then defenses must be
+                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
+                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
+                        are permitted redirection targets, and strictly validating the target against this list before
+                        performing the redirection.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
+                                Academy: Open redirection (DOM-based)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
+                                Untrusted Site ('Open Redirect')</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.search</b> and passed to <b>xhr.send</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">?kpiqhi5l29=kpiqhi5l29%27%22`'"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\&gt;ba6kcvqqrk&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get search (&lt;anonymous&gt;:1:248279)
+at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
+at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
+at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
+at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="6741367401146747904"></a>
+                <h2>Open redirection (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based open redirection. Data is read from
+                    <b>location.href</b> and passed to <b>xhr.send</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+
+                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
+                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
+                        URL that, if visited by another application user, will cause a redirection to an arbitrary
+                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
+                        the application. The ability to use an authentic application URL, targeting the correct domain
+                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
+                        because many users, even if they verify these features, will not notice the subsequent
+                        redirection to a different domain.</p>
+                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
+                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
+                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
+                        script code when the URL is processed by the browser.</p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
+                        set redirection targets using data that originated from any untrusted source. If the desired
+                        functionality of the application means that this behavior is unavoidable, then defenses must be
+                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
+                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
+                        are permitted redirection targets, and strictly validating the target against this list before
+                        performing the redirection.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
+                                Academy: Open redirection (DOM-based)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
+                                Untrusted Site ('Open Redirect')</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.href</b> and passed to <b>xhr.send</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\&gt;sbxdhx44wf&amp;#bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\&gt;sbxdhx44wf&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/&gt;&lt;esux3absmq/\\&gt;z0k5afa1h6&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get href (&lt;anonymous&gt;:1:249544)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get search (&lt;anonymous&gt;:1:248279)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get href (&lt;anonymous&gt;:1:249544)
+at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
+at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
+at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="6267850805052795904"></a>
+                <h2>Open redirection (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based open redirection. Data is read from
+                    <b>location.search</b> and passed to <b>xhr.send</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+
+                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
+                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
+                        URL that, if visited by another application user, will cause a redirection to an arbitrary
+                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
+                        the application. The ability to use an authentic application URL, targeting the correct domain
+                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
+                        because many users, even if they verify these features, will not notice the subsequent
+                        redirection to a different domain.</p>
+                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
+                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
+                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
+                        script code when the URL is processed by the browser.</p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
+                        set redirection targets using data that originated from any untrusted source. If the desired
+                        functionality of the application means that this behavior is unavoidable, then defenses must be
+                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
+                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
+                        are permitted redirection targets, and strictly validating the target against this list before
+                        performing the redirection.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
+                                Academy: Open redirection (DOM-based)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
+                                Untrusted Site ('Open Redirect')</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.search</b> and passed to <b>xhr.send</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">?esux3absmq=esux3absmq%27%22`'"/esux3absmq/&gt;&lt;esux3absmq/\&gt;z0k5afa1h6&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/&gt;&lt;esux3absmq/\\&gt;z0k5afa1h6&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get href (&lt;anonymous&gt;:1:249544)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get search (&lt;anonymous&gt;:1:248279)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get search (&lt;anonymous&gt;:1:248279)
+at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
+at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
+at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="3527817892229159936"></a>
+                <h2>TLS certificate</h2>
+                <a href="">/</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The server presented a valid, trusted TLS certificate. This issue is purely
+                    informational.<br><br>The server presented the following certificates:<br><br>
+                    <h4>Server certificate</h4>
+                    <table>
+                        <tr>
+                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
+                            <td>*.sandbox.example.com</td>
+                        </tr>
+                        <tr>
+                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
+                            <td>Amazon RSA 2048 M02</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
+                            <td>Wed Feb 28 00:00:00 UTC 2024</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
+                            <td>Sat Mar 29 23:59:59 UTC 2025</td>
+                        </tr>
+                    </table>
+                    <h4>Certificate chain #1</h4>
+                    <table>
+                        <tr>
+                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
+                            <td>Amazon RSA 2048 M02</td>
+                        </tr>
+                        <tr>
+                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
+                            <td>Amazon Root CA 1</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
+                            <td>Tue Aug 23 22:25:30 UTC 2022</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
+                            <td>Fri Aug 23 22:25:30 UTC 2030</td>
+                        </tr>
+                    </table>
+                    <h4>Certificate chain #2</h4>
+                    <table>
+                        <tr>
+                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
+                            <td>Amazon Root CA 1</td>
+                        </tr>
+                        <tr>
+                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
+                            <td>Starfield Services Root Certificate Authority - G2</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
+                            <td>Mon May 25 12:00:00 UTC 2015</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
+                            <td>Thu Dec 31 01:00:00 UTC 2037</td>
+                        </tr>
+                    </table>
+                    <h4>Certificate chain #3</h4>
+                    <table>
+                        <tr>
+                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
+                            <td>Starfield Services Root Certificate Authority - G2</td>
+                        </tr>
+                        <tr>
+                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
+                            <td>Starfield Class 2 Certification Authority</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
+                            <td>Wed Sep 02 00:00:00 UTC 2009</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
+                            <td>Wed Jun 28 17:39:16 UTC 2034</td>
+                        </tr>
+                    </table>
+                    <h4>Certificate chain #4</h4>
+                    <table>
+                        <tr>
+                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
+                            <td>Starfield Class 2 Certification Authority</td>
+                        </tr>
+                        <tr>
+                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
+                            <td>Starfield Class 2 Certification Authority</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
+                            <td>Tue Jun 29 17:39:16 UTC 2004</td>
+                        </tr>
+                        <tr>
+                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
+                            <td>Thu Jun 29 17:39:16 UTC 2034</td>
+                        </tr>
+                    </table>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between
+                        the browser and server, and to provide authentication of the server's identity. To serve this
+                        purpose, the server must present an TLS certificate that is valid for the server's hostname, is
+                        issued by a trusted authority and is valid for the current date. If any one of these
+                        requirements is not met, TLS connections to the server will not provide the full protection for
+                        which TLS is designed.</p>
+                    <p>It should be noted that various attacks exist against TLS in general, and in the context of HTTPS
+                        web connections in particular. It may be possible for a determined and suitably-positioned
+                        attacker to compromise TLS connections without user detection even when a valid TLS certificate
+                        is used. </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">SSL/TLS Configuration Guide</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate
+                                Validation</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption
+                                Strength</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky
+                                Cryptographic Algorithm</a></li>
+                    </ul>
+                </div>
+
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="5259898011373310976"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="4657103024505977856"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/m/v3/actions/action-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 107
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;}}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:26 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="902521611952553984"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/m/v3/actions/event-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 279
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843990,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
+                        <div class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:50 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="6264510907054532608"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/m/v3/actions/login-m-by-name</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Authorization: Bearer undefined
+                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 33
+
+                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:46 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="1529192591484086272"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/m/v3/actions/request-m-password-reset</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/request-reset-password
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 94
+
+                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:36 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="3808026467961441280"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/m/v3/translations</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:39 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="4466300982206924800"></a>
+                <h2>Content security policy: allows untrusted script execution</h2>
+                <a href="">/m/v3/translations/locales</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
+                        result, it may fail to mitigate cross-site scripting attacks.</p>
+                    <p>The policy has the following issues:</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
+                        wildcards in script directives. Use a secure, random
+                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
+                                Security Academy: What is XSS?</a></li>
+                        <li><a
+                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
+                                Security Academy: Mitigating XSS attacks using CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
+                                Academy: Preventing XSS</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
+                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
+                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:24 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="2695716473583569920"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="1298103128246460416"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/m/v3/actions/action-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 107
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;}}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:26 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="2014798415321718784"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/m/v3/actions/event-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 279
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843990,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
+                        <div class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:50 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="1922984841418255360"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/m/v3/actions/login-m-by-name</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Authorization: Bearer undefined
+                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 33
+
+                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:46 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="8450741944245941248"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/m/v3/actions/request-m-password-reset</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/request-reset-password
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 94
+
+                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:36 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="3555706921975993344"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/m/v3/translations</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:39 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="2057881140009319424"></a>
+                <h2>Content security policy: allows untrusted style execution</h2>
+                <a href="">/m/v3/translations/locales</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
+                        to mitigate style based data exfiltration.</p>
+                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
+                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>
+                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
+                        wildcards in style directives.
+                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
+                                Blind CSS exfiltration</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
+                                Research: Offensive CSS research</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
+                                Special Element</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
+                                Cross-Domain Theft</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:24 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="8357691155950076928"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="4549316367934383104"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/m/v3/actions/action-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 107
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;}}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:26 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="6701390394372629504"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/m/v3/actions/event-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 301
+
+                        {&quot;name&quot;:&quot;mLoginAttempted&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843986,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previousURL&quot;
+                        <div class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:46 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="5123150992306434048"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/m/v3/actions/login-m-by-name</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Authorization: Bearer undefined
+                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 33
+
+                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:46 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="6598663798538817536"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/m/v3/actions/request-m-password-reset</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
+                        Origin: https://instance.example.com
+                        Referer: https://instance.example.com/fe/m3/request-reset-password
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 94
+
+                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:36 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="7695309936584174592"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/m/v3/translations</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:39 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="3054733144918620160"></a>
+                <h2>Content security policy: allows form hijacking</h2>
+                <a href="">/m/v3/translations/locales</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
+                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
+                        from a manager and sending them to an attacker's server upon form submission.</p>
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
+                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
+                        Websites can specify their security policy in a response header or meta tag, enabling
+                        fine-grained control over dangerous features like scripts and stylesheets.
+                    </p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>We recommend using the form-action directive in the CSP response header to control form post
+                        destinations. If no form actions are used, set form-action to 'none' to block
+                        untrusted forms. For applications without external form URLs, use 'self' to allow only
+                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
+                        be aware this lets attackers submit to these external resources.
+                    </p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a
+                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
+                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
+                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
+                                Security Academy: What is CSP?</a></li>
+                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
+                                (CSP)</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 21:59:24 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
+                            https://staging.example.com</span>
+                        Access-Control-Allow-Origin: *
+                        Access-Control-Allow-Credentials: true
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="8763174910093391872"></a>
+                <h2>Cross-origin resource sharing</h2>
+                <a href="">/m/v3/actions/action-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
+                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
+                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
+                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
+                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
+                    an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
+                        application. If a user is logged in to the application, and visits a domain allowed by the
+                        policy, then any malicious content running on that domain can potentially retrieve content from
+                        the application, and sometimes carry out actions within the security context of the logged in
+                        user.</p>
+                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
+                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
+                        attack the application that allows access. CORS policies on pages containing sensitive
+                        information should be reviewed to determine whether it is appropriate for the application to
+                        trust both the intentions and security posture of any domains granted access.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0
+                        <span class="highlight">Origin: https://instance.example.com</span>
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 118
+
+                        {&quot;name&quot;:&quot;mLoginAttempt&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;,&quot;mName&quot;:&quot;&quot;}}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:00:29 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="5925852801819709440"></a>
+                <h2>Cross-origin resource sharing</h2>
+                <a href="">/m/v3/actions/event-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
+                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
+                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
+                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
+                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
+                    an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
+                        application. If a user is logged in to the application, and visits a domain allowed by the
+                        policy, then any malicious content running on that domain can potentially retrieve content from
+                        the application, and sometimes carry out actions within the security context of the logged in
+                        user.</p>
+                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
+                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
+                        attack the application that allows access. CORS policies on pages containing sensitive
+                        information should be reviewed to determine whether it is appropriate for the application to
+                        trust both the intentions and security posture of any domains granted access.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0
+                        <span class="highlight">Origin: https://instance.example.com</span>
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 279
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730844029,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
+                        <div class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:00:30 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="5857278075795971072"></a>
+                <h2>Cross-origin resource sharing</h2>
+                <a href="">/m/v3/actions/login-m-by-name</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
+                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
+                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
+                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
+                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
+                    an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
+                        application. If a user is logged in to the application, and visits a domain allowed by the
+                        policy, then any malicious content running on that domain can potentially retrieve content from
+                        the application, and sometimes carry out actions within the security context of the logged in
+                        user.</p>
+                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
+                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
+                        attack the application that allows access. CORS policies on pages containing sensitive
+                        information should be reviewed to determine whether it is appropriate for the application to
+                        trust both the intentions and security posture of any domains granted access.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Authorization: Bearer undefined
+                        Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0
+                        <span class="highlight">Origin: https://instance.example.com</span>
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 33
+
+                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:00:23 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="1427808413525564416"></a>
+                <h2>Cross-origin resource sharing</h2>
+                <a href="">/m/v3/actions/request-m-password-reset</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
+                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
+                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
+                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
+                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
+                    an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
+                        application. If a user is logged in to the application, and visits a domain allowed by the
+                        policy, then any malicious content running on that domain can potentially retrieve content from
+                        the application, and sometimes carry out actions within the security context of the logged in
+                        user.</p>
+                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
+                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
+                        attack the application that allows access. CORS policies on pages containing sensitive
+                        information should be reviewed to determine whether it is appropriate for the application to
+                        trust both the intentions and security posture of any domains granted access.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0
+                        <span class="highlight">Origin: https://instance.example.com</span>
+                        Referer: https://instance.example.com/fe/m3/request-reset-password
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 94
+
+                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:00:23 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="8711212538224995328"></a>
+                <h2>Cross-origin resource sharing</h2>
+                <a href="">/m/v3/translations</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
+                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
+                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
+                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
+                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
+                    an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
+                        application. If a user is logged in to the application, and visits a domain allowed by the
+                        policy, then any malicious content running on that domain can potentially retrieve content from
+                        the application, and sometimes carry out actions within the security context of the logged in
+                        user.</p>
+                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
+                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
+                        attack the application that allows access. CORS policies on pages containing sensitive
+                        information should be reviewed to determine whether it is appropriate for the application to
+                        trust both the intentions and security posture of any domains granted access.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        <span class="highlight">Origin: https://instance.example.com</span>
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:04:36 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="5779334575193283584"></a>
+                <h2>Cross-origin resource sharing</h2>
+                <a href="">/m/v3/translations/locales</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
+                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
+                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
+                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
+                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
+                    an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
+                        application. If a user is logged in to the application, and visits a domain allowed by the
+                        policy, then any malicious content running on that domain can potentially retrieve content from
+                        the application, and sometimes carry out actions within the security context of the logged in
+                        user.</p>
+                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
+                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
+                        attack the application that allows access. CORS policies on pages containing sensitive
+                        information should be reviewed to determine whether it is appropriate for the application to
+                        trust both the intentions and security posture of any domains granted access.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        <span class="highlight">Origin: https://instance.example.com</span>
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:09:09 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="8820756364458124288"></a>
+                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
+                <a href="">/m/v3/actions/action-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
+                    that allows access from any domain.<br><br>The application allowed access from the requested origin
+                    <strong>https://aazpkgamubbk.com</strong><br><br>The response uses a wildcard in the
+                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
+                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
+                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
+                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>
+                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
+                        interaction by third-party web sites. Unless the response consists only of unprotected public
+                        content, this policy is likely to present a security risk.</p>
+                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
+                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
+                        attackers may be able to bypass any IP-based access controls by proxying through users'
+                        browsers.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
+                        trusted domains.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0
+                        <span class="highlight">Origin: https://aazpkgamubbk.com</span>
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 118
+
+                        {&quot;name&quot;:&quot;mLoginAttempt&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;,&quot;mName&quot;:&quot;&quot;}}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:08:15 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="530498929544584192"></a>
+                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
+                <a href="">/m/v3/actions/event-log</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
+                    that allows access from any domain.<br><br>The application allowed access from the requested origin
+                    <strong>https://nyc.com</strong><br><br>The response uses a wildcard in the
+                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
+                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
+                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
+                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>
+                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
+                        interaction by third-party web sites. Unless the response consists only of unprotected public
+                        content, this policy is likely to present a security risk.</p>
+                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
+                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
+                        attackers may be able to bypass any IP-based access controls by proxying through users'
+                        browsers.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
+                        trusted domains.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0
+                        <span class="highlight">Origin: https://nyc.com</span>
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 279
+
+                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730844029,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
+                        <div class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:08:55 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="5900011248769263616"></a>
+                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
+                <a href="">/m/v3/actions/login-m-by-name</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
+                    that allows access from any domain.<br><br>The application allowed access from the requested origin
+                    <strong>https://zwa.com</strong><br><br>The response uses a wildcard in the
+                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
+                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
+                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
+                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>
+                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
+                        interaction by third-party web sites. Unless the response consists only of unprotected public
+                        content, this policy is likely to present a security risk.</p>
+                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
+                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
+                        attackers may be able to bypass any IP-based access controls by proxying through users'
+                        browsers.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
+                        trusted domains.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Authorization: Bearer undefined
+                        Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0
+                        <span class="highlight">Origin: https://zwa.com</span>
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 33
+
+                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:08:00 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="1161946040846946304"></a>
+                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
+                <a href="">/m/v3/actions/request-m-password-reset</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
+                    that allows access from any domain.<br><br>The application allowed access from the requested origin
+                    <strong>https://wsparhyjqvka.com</strong><br><br>The response uses a wildcard in the
+                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
+                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
+                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
+                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>
+                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
+                        interaction by third-party web sites. Unless the response consists only of unprotected public
+                        content, this policy is likely to present a security risk.</p>
+                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
+                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
+                        attackers may be able to bypass any IP-based access controls by proxying through users'
+                        browsers.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
+                        trusted domains.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0
+                        <span class="highlight">Origin: https://wsparhyjqvka.com</span>
+                        Referer: https://instance.example.com/fe/m3/request-reset-password
+                        Content-Type: application/json
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        Content-Length: 94
+
+                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:08:21 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="8827647893815513088"></a>
+                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
+                <a href="">/m/v3/translations</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
+                    that allows access from any domain.<br><br>The application allowed access from the requested origin
+                    <strong>https://tjelewarvblp.com</strong><br><br>The response uses a wildcard in the
+                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
+                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
+                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
+                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>
+                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
+                        interaction by third-party web sites. Unless the response consists only of unprotected public
+                        content, this policy is likely to present a security risk.</p>
+                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
+                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
+                        attackers may be able to bypass any IP-based access controls by proxying through users'
+                        browsers.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
+                        trusted domains.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        <span class="highlight">Origin: https://tjelewarvblp.com</span>
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:04:37 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="3408790232388447232"></a>
+                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
+                <a href="">/m/v3/translations/locales</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
+                    that allows access from any domain.<br><br>The application allowed access from the requested origin
+                    <strong>https://pduoenagjukk.com</strong><br><br>The response uses a wildcard in the
+                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
+                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
+                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
+                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
+                        other domains can perform two-way interaction with the domain that publishes the policy. The
+                        policy is fine-grained and can apply access controls per-request based on the URL and other
+                        features of the request.</p>
+                    <p>
+                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
+                        interaction by third-party web sites. Unless the response consists only of unprotected public
+                        content, this policy is likely to present a security risk.</p>
+                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
+                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
+                        attackers may be able to bypass any IP-based access controls by proxying through users'
+                        browsers.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
+                        trusted domains.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
+                                resource sharing (CORS)</a></li>
+                        <li><a
+                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
+                                CORS Misconfigurations</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
+                                Cross-domain Whitelist</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: application/json, text/plain, */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Referer: https://instance.example.com/fe/m3/m-login
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+                        <span class="highlight">Origin: https://pduoenagjukk.com</span>
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 500 Internal Server Error
+                        Date: Tue, 05 Nov 2024 22:09:12 GMT
+                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
+                        Content-Length: 0
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        <span class="highlight">Access-Control-Allow-Origin: *</span>
+                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
+                        Access-Control-Max-Age: 86400
+
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="1403797905824836608"></a>
+                <h2>Robots.txt file</h2>
+                <a href="">/robots.txt</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The web server contains a robots.txt file.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>The file robots.txt is used to give instructions to web robots, such as search engine crawlers,
+                        about locations within the web site that robots are allowed, or not allowed, to crawl and index.
+                    </p>
+                    <p>The presence of the robots.txt does not in itself present any kind of security vulnerability.
+                        However, it is often used to identify restricted or private areas of a site's contents. The
+                        information in the file may therefore help an attacker to map out the site's contents,
+                        especially if some of the locations identified are not linked from elsewhere in the site. If the
+                        application relies on robots.txt to protect access to these areas, and does not enforce proper
+                        access control over them, then this presents a serious vulnerability.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The robots.txt file is not itself a security threat, and its correct use can represent good
+                        practice for non-security reasons. You should not assume that all web robots will honor the
+                        file's instructions. Rather, assume that attackers will pay close attention to any locations
+                        identified in the file. Do not rely on robots.txt to provide any kind of protection over
+                        unauthorized access.</p>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a>
+                        </li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET <span class="highlight">/robots.txt</span> HTTP/1.1
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept: */*
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/1.1 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:51 GMT
+                        Content-Type: text/plain
+                        Content-Length: 195
+                        Connection: close
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        Last-Modified: Tue, 15 Oct 2024 15:56:17 GMT
+                        ETag: &quot;c3-62485fe5f1553-gzip&quot;
+                        Accept-Ranges: bytes
+                        Vary: Accept-Encoding
+
+                        User-agent: *
+                        Disallow: /app
+                        Disallow: /apidocs/example-app-install.pdf
+                        Disallow: /dashboard/
+                        Disallow: /m2/
+                        Disallow: /m/
+                        Disallow: /js/
+                        Disallow: /modules/api/fetch-dictionary.php
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="8892116954353746944"></a>
+                <h2>Cacheable HTTPS response</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>
+                    Issue description:
+                </h3>
+                <div>
+                    <p>Unless directed otherwise, browsers may store a local cached copy of content received from web
+                        servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If
+                        sensitive information in application responses is stored in the local cache, then this may be
+                        retrieved by other users who have access to the same computer at a future time.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>Applications should return caching directives instructing browsers not to store local copies of
+                        any sensitive data. Often, this can be achieved by configuring the web server to prevent caching
+                        for relevant paths within the web root. Alternatively, most web development platforms allow you
+                        to control the server's caching directives from within individual scripts. Ideally, the web
+                        server should return the following HTTP headers in all responses containing sensitive content:
+                    </p>
+                    <ul>
+                        <li>Cache-control: no-store</li>
+                        <li>Pragma: no-cache</li>
+                    </ul>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/information-disclosure">Web Security Academy:
+                                Information disclosure</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/524.html">CWE-524: Information Exposure
+                                Through Caching</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/525.html">CWE-525: Information Exposure
+                                Through Browser Caching</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/37.html">CAPEC-37: Retrieve Embedded
+                                Sensitive Data</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="5632626482916889600"></a>
+                <h2>DOM data manipulation (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
+                    <b>location.pathname</b> and passed to <b>history.replaceState</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
+                        that is used within the visible UI or client-side application logic. An attacker may be able to
+                        use the vulnerability to construct a URL that, if visited by another application user, will
+                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
+                        this to perform virtual defacement of the application, or possibly to induce the user to perform
+                        unintended actions. </p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
+                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
+                        desired functionality of the application means that this behavior is unavoidable, then defenses
+                        must be implemented within the client-side code to prevent malicious data from being stored. In
+                        general, this is best achieved by using a whitelist of permitted values.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
+                                Academy: DOM data manipulation</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
+                                Manipulation</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.pathname</b> and passed to <b>history.replaceState</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get pathname (&lt;anonymous&gt;:1:249642)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
+at Object.skeuk (&lt;anonymous&gt;:1:548616)
+at History.replaceState (&lt;anonymous&gt;:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="2020756852015877120"></a>
+                <h2>DOM data manipulation (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
+                    <b>location.search</b> and passed to <b>history.replaceState</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
+                        that is used within the visible UI or client-side application logic. An attacker may be able to
+                        use the vulnerability to construct a URL that, if visited by another application user, will
+                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
+                        this to perform virtual defacement of the application, or possibly to induce the user to perform
+                        unintended actions. </p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
+                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
+                        desired functionality of the application means that this behavior is unavoidable, then defenses
+                        must be implemented within the client-side code to prevent malicious data from being stored. In
+                        general, this is best achieved by using a whitelist of permitted values.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
+                                Academy: DOM data manipulation</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
+                                Manipulation</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.search</b> and passed to <b>history.replaceState</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get search (&lt;anonymous&gt;:1:248279)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
+at Object.skeuk (&lt;anonymous&gt;:1:548616)
+at History.replaceState (&lt;anonymous&gt;:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="547516727130662912"></a>
+                <h2>DOM data manipulation (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
+                    <b>location.hash</b> and passed to <b>history.replaceState</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
+                        that is used within the visible UI or client-side application logic. An attacker may be able to
+                        use the vulnerability to construct a URL that, if visited by another application user, will
+                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
+                        this to perform virtual defacement of the application, or possibly to induce the user to perform
+                        unintended actions. </p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
+                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
+                        desired functionality of the application means that this behavior is unavoidable, then defenses
+                        must be implemented within the client-side code to prevent malicious data from being stored. In
+                        general, this is best achieved by using a whitelist of permitted values.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
+                                Academy: DOM data manipulation</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
+                                Manipulation</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.hash</b> and passed to <b>history.replaceState</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get hash (&lt;anonymous&gt;:1:249429)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
+at Object.skeuk (&lt;anonymous&gt;:1:548616)
+at History.replaceState (&lt;anonymous&gt;:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)</pre>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="3668057833940777984"></a>
+                <h2>DOM data manipulation (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
+                    <b>location.pathname</b> and passed to <b>history.replaceState</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
+                        that is used within the visible UI or client-side application logic. An attacker may be able to
+                        use the vulnerability to construct a URL that, if visited by another application user, will
+                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
+                        this to perform virtual defacement of the application, or possibly to induce the user to perform
+                        unintended actions. </p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
+                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
+                        desired functionality of the application means that this behavior is unavoidable, then defenses
+                        must be implemented within the client-side code to prevent malicious data from being stored. In
+                        general, this is best achieved by using a whitelist of permitted values.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
+                                Academy: DOM data manipulation</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
+                                Manipulation</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.pathname</b> and passed to <b>history.replaceState</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get pathname (&lt;anonymous&gt;:1:249642)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
+at Object.skeuk (&lt;anonymous&gt;:1:548616)
+at History.replaceState (&lt;anonymous&gt;:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
+at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
+at https://instance.example.com/fe/js/cv-script.js:220724:27</pre>
+                            </li>
+
+                            <li>
+                                <p>This was triggered by a <b>loadend</b> event.</p>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="7064533534944179200"></a>
+                <h2>DOM data manipulation (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
+                    <b>location.search</b> and passed to <b>history.replaceState</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
+                        that is used within the visible UI or client-side application logic. An attacker may be able to
+                        use the vulnerability to construct a URL that, if visited by another application user, will
+                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
+                        this to perform virtual defacement of the application, or possibly to induce the user to perform
+                        unintended actions. </p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
+                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
+                        desired functionality of the application means that this behavior is unavoidable, then defenses
+                        must be implemented within the client-side code to prevent malicious data from being stored. In
+                        general, this is best achieved by using a whitelist of permitted values.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
+                                Academy: DOM data manipulation</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
+                                Manipulation</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.search</b> and passed to <b>history.replaceState</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get search (&lt;anonymous&gt;:1:248279)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
+at Object.skeuk (&lt;anonymous&gt;:1:548616)
+at History.replaceState (&lt;anonymous&gt;:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
+at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
+at https://instance.example.com/fe/js/cv-script.js:220724:27</pre>
+                            </li>
+
+                            <li>
+                                <p>This was triggered by a <b>loadend</b> event.</p>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="7933681146442143744"></a>
+                <h2>DOM data manipulation (DOM-based)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
+                    <b>location.hash</b> and passed to <b>history.replaceState</b>.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
+                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
+                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
+                        that is used within the visible UI or client-side application logic. An attacker may be able to
+                        use the vulnerability to construct a URL that, if visited by another application user, will
+                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
+                        this to perform virtual defacement of the application, or possibly to induce the user to perform
+                        unintended actions. </p>
+
+                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
+                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
+                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
+                        execution paths to determine whether this vulnerability is indeed present, or whether
+                        mitigations are in place that would prevent exploitation.</p>
+                </div>
+
+                <h3>
+                    Issue remediation:
+                </h3>
+                <div>
+                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
+                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
+                        desired functionality of the application means that this behavior is unavoidable, then defenses
+                        must be implemented within the client-side code to prevent malicious data from being stored. In
+                        general, this is best achieved by using a whitelist of permitted values.</p>
+                </div>
+
+                <h3>References</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
+                                Academy: DOM data manipulation</a></li>
+                    </ul>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
+                                Manipulation</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3/m-login HTTP/2
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/2 200 OK
+                        Date: Tue, 05 Nov 2024 21:59:12 GMT
+                        Content-Type: text/html; charset=UTF-8
+                        Content-Length: 1906
+                        Server: Apache/2.4.62 (Ubuntu)
+                        X-Frame-Options: SAMEORIGIN
+                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
+                        X-Powered-By: Express
+                        Accept-Ranges: bytes
+                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
+                        Vary: Accept-Encoding
+
+                        &lt;!DOCTYPE html&gt;
+                        &lt;html lang=&quot;&quot;&gt;
+                        &lt;head&gt;
+                        &lt;meta charset=&quot;utf-8&quot; /&gt;
+                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
+                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
+                            class="snip"><span><span>Snip</span></span></div>
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Dynamic analysis:</h3>
+                    <div>
+                        <p>
+                            Data is read from <b>location.hash</b> and passed to <b>history.replaceState</b>.
+                        </p>
+                        <ul>
+                            <li>
+                                <p>The following value was injected into the source:</p>
+                                <pre
+                                    class="code">#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The previous value reached the sink:</p>
+                                <pre
+                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at source was:</p>
+                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
+at get hash (&lt;anonymous&gt;:1:249429)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18</pre>
+                            </li>
+
+                            <li>
+                                <p>The stack trace at the sink was:</p>
+                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
+at Object.skeuk (&lt;anonymous&gt;:1:548616)
+at History.replaceState (&lt;anonymous&gt;:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
+at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
+at https://instance.example.com/fe/js/cv-script.js:220724:27</pre>
+                            </li>
+
+                            <li>
+                                <p>This was triggered by a <b>loadend</b> event.</p>
+                            </li>
+
+                        </ul>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+        <div class="section divider"></div>
+
+        <div class="section details standalone-section">
+            <h1>More details for http://instance.example.com</h1>
+        </div>
+
+        <div class="section details issue-type-container">
+            <div class="issue-container">
+                <a name="3588084604190000128"></a>
+                <h2>Input returned in response (reflected)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The value of the URL path folder 1 is copied into the application's response.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Reflection of input arises when data is copied from a request and echoed into the application's
+                        immediate response.</p>
+                    <p>Input being returned in application responses is not a vulnerability in its own right. However,
+                        it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open
+                        redirection, content spoofing, and response header injection. Additionally, some server-side
+                        vulnerabilities such as SQL injection are often easier to identify and exploit when input is
+                        returned in responses. In applications where input retrieval is rare and the environment is
+                        resistant to automated testing (for example, due to a web application firewall), it might be
+                        worth subjecting instances of it to focused manual testing. </p>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe<span class="highlight">s56j3607g3</span>/m3/m-login HTTP/1.1
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/1.1 301 Moved Permanently
+                        Server: awselb/2.0
+                        Date: Tue, 05 Nov 2024 22:04:46 GMT
+                        Content-Type: text/html
+                        Content-Length: 134
+                        Connection: close
+                        Location: https://instance.example.com:443/fe<span
+                            class="highlight">s56j3607g3</span>/m3/m-login
+
+                        &lt;html&gt;
+                        &lt;head&gt;&lt;title&gt;301 Moved Permanently&lt;/title&gt;&lt;/head&gt;
+                        &lt;body&gt;
+                        &lt;center&gt;&lt;h1&gt;301 Moved Permanently&lt;/h1&gt;&lt;/center&gt;
+                        &lt;/body&gt;
+                        &lt;/html&gt;
+                    </div>
+                </div>
+            </div>
+            <div class="issue-container">
+                <a name="6924794329102809088"></a>
+                <h2>Input returned in response (reflected)</h2>
+                <a href="">/fe/m3/m-login</a>
+
+                <h3>Issue detail:</h3>
+                <div>
+                    The value of the URL path folder 2 is copied into the application's response.
+                </div>
+
+                <h3>
+                    Issue background:
+                </h3>
+                <div>
+                    <p>Reflection of input arises when data is copied from a request and echoed into the application's
+                        immediate response.</p>
+                    <p>Input being returned in application responses is not a vulnerability in its own right. However,
+                        it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open
+                        redirection, content spoofing, and response header injection. Additionally, some server-side
+                        vulnerabilities such as SQL injection are often easier to identify and exploit when input is
+                        returned in responses. In applications where input retrieval is rare and the environment is
+                        resistant to automated testing (for example, due to a web application firewall), it might be
+                        worth subjecting instances of it to focused manual testing. </p>
+                </div>
+
+                <h3>Vulnerability classifications</h3>
+                <div class="no-bullets">
+                    <ul>
+                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
+                                Validation</a></li>
+                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
+                                Escaping of Output</a></li>
+                    </ul>
+                </div>
+
+                <div class="evidence-container">
+                    <h3>Request:</h3>
+                    <div class="request-response">GET /fe/m3<span class="highlight">mx6wpfgqge</span>/m-login HTTP/1.1
+                        Host: instance.example.com
+                        Accept-Encoding: gzip, deflate, br
+                        Accept:
+                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+                        Accept-Language: en-US;q=0.9,en;q=0.8
+                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+                        Chrome/130.0.6723.70 Safari/537.36
+                        Connection: close
+                        Cache-Control: max-age=0
+                        Upgrade-Insecure-Requests: 1
+                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
+                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
+                        Sec-CH-UA-Platform: Windows
+                        Sec-CH-UA-Mobile: ?0
+
+                    </div>
+                </div>
+                <div class="evidence-container">
+                    <h3>Response:</h3>
+                    <div class="request-response">HTTP/1.1 301 Moved Permanently
+                        Server: awselb/2.0
+                        Date: Tue, 05 Nov 2024 22:05:07 GMT
+                        Content-Type: text/html
+                        Content-Length: 134
+                        Connection: close
+                        Location: https://instance.example.com:443/fe/m3<span
+                            class="highlight">mx6wpfgqge</span>/m-login
+
+                        &lt;html&gt;
+                        &lt;head&gt;&lt;title&gt;301 Moved Permanently&lt;/title&gt;&lt;/head&gt;
+                        &lt;body&gt;
+                        &lt;center&gt;&lt;h1&gt;301 Moved Permanently&lt;/h1&gt;&lt;/center&gt;
+                        &lt;/body&gt;
+                        &lt;/html&gt;
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="section divider"></div>
+
+    </div>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/unittests/tools/test_burp_enterprise_parser.py b/unittests/tools/test_burp_enterprise_parser.py
index 0d28dfe26f..ec45b95c2f 100644
--- a/unittests/tools/test_burp_enterprise_parser.py
+++ b/unittests/tools/test_burp_enterprise_parser.py
@@ -22,13 +22,9 @@ def test_burp_enterprise_with_multiple_vulns(self):
                 self.assertTrue(finding.dynamic_finding)
                 self.assertEqual(942, finding.cwe)
                 self.assertEqual("Cross-origin resource sharing: arbitrary origin trusted", finding.title)
-                description = """**Issue detail:**
-The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.The application allowed access from the requested origin https://llqvfwgbsdau.com
-
-"""
-                self.assertEqual(description, finding.description)
+                self.assertIn("**Issue detail**:\nThe application implements an HTML5 cross-origin resource sharing (CORS) policy", finding.description)
                 self.assertIn("An HTML5 cross-origin resource sharing (CORS) policy controls", finding.impact)
-                self.assertIn("(Web Security Academy: Cross-origin resource sharing (CORS))[https://portswigger.net/web-security/cors]", finding.references)
+                self.assertIn("[Web Security Academy: Cross-origin resource sharing (CORS)](https://portswigger.net/web-security/cors)", finding.references)
                 self.assertEqual(1, len(finding.unsaved_endpoints))
                 self.assertEqual("example.com", finding.unsaved_endpoints[0].host)
 
@@ -38,4 +34,33 @@ def test_burp_enterprise_with_multiple_vulns(self):
                 self.assertTrue(finding.dynamic_finding)
                 self.assertIsNone(finding.cwe)
                 self.assertEqual("WAF Detected: redacted", finding.title)
-                self.assertIn("WAF tech. details    : Cloud-based CDN, WAF & DDoS prevention", finding.description)
+                self.assertIn("**Issue detail**:\nFingerprint Details:\n\nWAF Type : redacted\nWAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description)
+
+    def test_burp_enterprise_with_multiple_vulns_newer_format(self):
+        with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file:
+            parser = BurpEnterpriseParser()
+            findings = parser.get_findings(test_file, Test())
+            for finding in findings:
+                for endpoint in finding.unsaved_endpoints:
+                    endpoint.clean()
+            self.assertEqual(12, len(findings))
+
+            with self.subTest(i=0):
+                finding = findings[0]
+                self.assertEqual("Low", finding.severity)
+                self.assertTrue(finding.dynamic_finding)
+                self.assertEqual(523, finding.cwe)
+                self.assertEqual("Strict transport security not enforced", finding.title)
+                self.assertIn("**Issue description**:\nThe application fails to prevent users from connecting to it over unencrypted connections.", finding.description)
+                self.assertIn("**Issue remediation**:\nThe application should instruct web browsers to only access the application using HTTPS.", finding.impact)
+                self.assertIn("- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)", finding.references)
+                self.assertEqual(7, len(finding.unsaved_endpoints))
+                self.assertEqual("instance.example.com", finding.unsaved_endpoints[0].host)
+
+            with self.subTest(i=5):
+                finding = findings[5]
+                self.assertEqual("Info", finding.severity)
+                self.assertTrue(finding.dynamic_finding)
+                self.assertEqual(116, finding.cwe)
+                self.assertEqual("Content security policy: allows form hijacking", finding.title)
+                self.assertIn("**Issue detail**:\nThe content security policy doesn't prevent form hijacking", finding.description)

From eb6537e8f1f05556161a341dfbf89ec35f12311a Mon Sep 17 00:00:00 2001
From: kiblik <5609770+kiblik@users.noreply.github.com>
Date: Tue, 12 Nov 2024 16:54:41 +0100
Subject: [PATCH 11/13] feat(helm): Add support for staticName for initializer
 (#11237)

---
 helm/defectdojo/templates/_helpers.tpl | 4 ++++
 helm/defectdojo/values.yaml            | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl
index 14256e8819..c3e0026c2e 100644
--- a/helm/defectdojo/templates/_helpers.tpl
+++ b/helm/defectdojo/templates/_helpers.tpl
@@ -102,8 +102,12 @@ Create chart name and version as used by the chart label.
 {{- end -}}
 
 {{- define "initializer.jobname" -}}
+{{- if .Values.initializer.staticName -}}
+{{ .Release.Name }}-initializer
+{{- else -}}
 {{ .Release.Name }}-initializer-{{- printf "%s" now | date "2006-01-02-15-04" -}}
 {{- end -}}
+{{- end -}}
 
 {{/*
   Creates the array for DD_ALLOWED_HOSTS in configmap
diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml
index b2d0422bc2..f480810d43 100644
--- a/helm/defectdojo/values.yaml
+++ b/helm/defectdojo/values.yaml
@@ -365,6 +365,11 @@ initializer:
   # @type: array<map>
   extraVolumes: []
 
+  # staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer")
+  # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57")
+  # This might be handy for ArgoCD deployments
+  staticName: false
+
 postgresql:
   enabled: true
   auth:

From b079c374e27b08cccb2879163620dd0345536a24 Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Tue, 12 Nov 2024 10:29:24 -0600
Subject: [PATCH 12/13] GHA Artifacts: Update to v4 (#11205)

* GHA Artifacts: Update to v4

* segregate paths even further

* Adjust artifact paths

* Tweak paths again
---
 .../workflows/build-docker-images-for-testing.yml    |  4 ++--
 .github/workflows/fetch-oas.yml                      |  2 +-
 .github/workflows/integration-tests.yml              | 12 ++++++++----
 .github/workflows/k8s-tests.yml                      | 10 +++++++---
 .github/workflows/release-drafter.yml                |  2 +-
 .github/workflows/rest-framework-tests.yml           | 10 +++++++---
 6 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build-docker-images-for-testing.yml b/.github/workflows/build-docker-images-for-testing.yml
index c5753973ae..cd9c549494 100644
--- a/.github/workflows/build-docker-images-for-testing.yml
+++ b/.github/workflows/build-docker-images-for-testing.yml
@@ -49,8 +49,8 @@ jobs:
       # export docker images to be used in next jobs below
       - name: Upload image ${{ matrix.docker-image }} as artifact
         timeout-minutes: 10
-        uses:  actions/upload-artifact@v3
+        uses:  actions/upload-artifact@v4
         with:
-          name: ${{ matrix.docker-image }}
+          name: built-docker-image-${{ matrix.docker-image }}-${{ matrix.os }}
           path: ${{ matrix.docker-image }}-${{ matrix.os }}_img
           retention-days: 1
diff --git a/.github/workflows/fetch-oas.yml b/.github/workflows/fetch-oas.yml
index 7928fadd9e..5ec0aa9aba 100644
--- a/.github/workflows/fetch-oas.yml
+++ b/.github/workflows/fetch-oas.yml
@@ -51,7 +51,7 @@ jobs:
         run: docker compose down
 
       - name: Upload oas.${{ matrix.file-type }} as artifact
-        uses:  actions/upload-artifact@v3
+        uses:  actions/upload-artifact@v4
         with:
           name: oas-${{ matrix.file-type }}
           path: oas.${{ matrix.file-type }}
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 0b12d25a77..cd8d807237 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -45,14 +45,18 @@ jobs:
 
       # load docker images from build jobs
       - name: Load images from artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
+        with:
+          path: built-docker-image
+          pattern: built-docker-image-*
+          merge-multiple: true
 
       - name: Load docker images
         timeout-minutes: 10
         run: |-
-             docker load -i nginx/nginx-${{ matrix.os }}_img
-             docker load -i django/django-${{ matrix.os }}_img
-             docker load -i integration-tests/integration-tests-debian_img
+             docker load -i built-docker-image/nginx-${{ matrix.os }}_img
+             docker load -i built-docker-image/django-${{ matrix.os }}_img
+             docker load -i built-docker-image/integration-tests-debian_img
              docker images
 
       - name: Set integration-test mode
diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml
index 60f8bc3c38..a4feb77273 100644
--- a/.github/workflows/k8s-tests.yml
+++ b/.github/workflows/k8s-tests.yml
@@ -48,14 +48,18 @@ jobs:
           minikube status
 
       - name: Load images from artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
+        with:
+          path: built-docker-image
+          pattern: built-docker-image-*
+          merge-multiple: true
 
       - name: Load docker images
         timeout-minutes: 10
         run: |-
              eval $(minikube docker-env)
-             docker load -i nginx/nginx-${{ matrix.os }}_img
-             docker load -i django/django-${{ matrix.os }}_img
+             docker load -i built-docker-image/nginx-${{ matrix.os }}_img
+             docker load -i built-docker-image/django-${{ matrix.os }}_img
              docker images
 
       - name: Configure HELM repos
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index d05cb19142..2a4d7ef037 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Load OAS files from artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
 
       - name: Upload Release Asset - OpenAPI Specification - YAML
         id: upload-release-asset-yaml
diff --git a/.github/workflows/rest-framework-tests.yml b/.github/workflows/rest-framework-tests.yml
index f153a368ba..bd8ca3322f 100644
--- a/.github/workflows/rest-framework-tests.yml
+++ b/.github/workflows/rest-framework-tests.yml
@@ -20,13 +20,17 @@ jobs:
 
       # load docker images from build jobs
       - name: Load images from artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
+        with:
+          path: built-docker-image
+          pattern: built-docker-image-*
+          merge-multiple: true
 
       - name: Load docker images
         timeout-minutes: 10
         run: |-
-             docker load -i nginx/nginx-${{ matrix.os }}_img
-             docker load -i django/django-${{ matrix.os }}_img
+             docker load -i built-docker-image/nginx-${{ matrix.os }}_img
+             docker load -i built-docker-image/django-${{ matrix.os }}_img
              docker images
 
       # run tests with docker compose

From 28569c0fbc64a748f7ac3b7a822b75f9ad80f59b Mon Sep 17 00:00:00 2001
From: DefectDojo release bot <dojo-release-bot@users.noreply.github.com>
Date: Tue, 12 Nov 2024 16:32:02 +0000
Subject: [PATCH 13/13] Update versions in application files

---
 components/package.json    | 2 +-
 dojo/__init__.py           | 2 +-
 helm/defectdojo/Chart.yaml | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/components/package.json b/components/package.json
index 82cd7446c6..8959190ddf 100644
--- a/components/package.json
+++ b/components/package.json
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.41.0-dev",
+  "version": "2.40.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
diff --git a/dojo/__init__.py b/dojo/__init__.py
index 8c5bb4603e..f912fa15f5 100644
--- a/dojo/__init__.py
+++ b/dojo/__init__.py
@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.40.0"
+__version__ = "2.40.1"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
index b61326d1b8..b56712ee07 100644
--- a/helm/defectdojo/Chart.yaml
+++ b/helm/defectdojo/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.41.0-dev"
+appVersion: "2.40.1"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.159-dev
+version: 1.6.159
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap