registry  /  @nemtsevk/amo-widget-components  /  1.8.16

@nemtsevk/amo-widget-components@1.8.16

AmoCRM widgets components lib

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Mounted settings UI fetches remotely controlled contact/social metadata and SVG assets. Raw SVG text is inserted into the DOM without sanitization, creating a remote-content XSS injection surface.

Static reason
One or more suspicious static signals were detected.
Trigger
Rendering the package's widget description or footer in AmoCRM settings.
Impact
A compromised or malicious content endpoint could supply active markup to the host page context.
Mechanism
Remote SVG fetch followed by unsanitized `innerHTML` insertion.
Rationale
No install hook, credential harvesting, persistence, or local execution was found. However, unsanitized, remotely supplied SVG/markup in a privileged host UI is a concrete client-side injection vulnerability.
Evidence
package.jsonsrc/riot_tags/widget_settings_panel/help-order-form.riotsrc/riot_tags/widget_settings_panel/footer-info.riotsrc/riot_tags/widget_settings_panel/widget-description.riotsrc/WidgetActions/MountDescriptionAction.jsbuild/index.js
Network endpoints2
mazdata.ru/amo-integrations/get-contactsmazdata.ru/amo-integrations/get-socials

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `help-order-form.riot` fetches remote contacts on mount.
  • Remote icon response text is assigned directly to `innerHTML`.
  • `footer-info.riot` repeats the remote SVG-to-`innerHTML` pattern.
  • Remote API controls icon URLs and rendered SVG markup.
Evidence against
  • `package.json` has no lifecycle hooks or executable bin.
  • Network requests use `credentials: "omit"`.
  • Source contains no Node shell, filesystem, environment harvesting, or persistence APIs.
  • `build/index.js` matches the inspected source behavior.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 985 KB of source, external domains: deltasales.ru, mazdata.ru, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings