|
Flow accepts requests with any method
|
Medium |
Flow |
Data Validation |
CWE-749
|
|
Flow accepts confidential data as URL parameters
|
High |
Flow
PreFlow |
Data in Transit |
CWE-598
|
|
Error flow variable is set but not checked in request phase
|
Medium |
Step |
Error Handling |
CWE-390
|
|
Connection to the system is not encrypted
|
Critical |
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-319
|
|
Confidential data is used as a cache key
|
High |
Step |
Data at Rest |
CWE-256
CWE-312
|
|
Condition has undefined variables
|
Medium |
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Cache lookup variable is overwritten
|
Low |
Step |
Code Quality |
CWE-472
|
|
Cache is accessed without prior authentication
|
High |
Step |
Authentication & Authorisation |
CWE-306
|
|
Bypassing AccessControl policy via True-Client-IP header
|
Critical |
AccessControl |
Data Validation |
CWE-290
|
|
Authorization header is not removed before the request is sent to target system
|
High |
Proxy |
Data in Transit |
CWE-201
|
|
AssignMessage request parameters pollution
|
High |
AssignMessage |
Data Validation |
CWE-20
|
|
AccessControl allows all IPs
|
Medium |
AccessControl |
Data Validation |
CWE-290
|
|
API Key is not removed before the request is sent to target system
|
High |
Proxy |
Data in Transit |
CWE-201
|