|
High
|
|
User-controlled data in ServiceCallout
|
Step |
Data Validation |
CWE-233
CWE-20
|
|
Use of weak hash algorithms
|
AssignMessage
HMAC
JavaScript |
Secure Configuration |
CWE-327
|
|
Unsafe variable is used to define host
|
Step |
Data Validation |
CWE-20
|
|
Unsafe regular expression
|
Step |
Data Validation |
CWE-1333
|
|
Target URL is tainted by user input
|
Step |
Data Validation |
CWE-22
CWE-233
CWE-918
CWE-20
|
|
SpikeArrest policy doesn't use any identifier
|
SpikeArrest |
DoS Protection |
CWE-770
|
|
Request content is tainted by user input
|
Step |
Data Validation |
CWE-20
CWE-116
|
|
Proxy doesn't have default flow
|
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
Policy sets confidential data in URL parameters
|
Step |
Data in Transit |
CWE-598
|
|
Open Redirect
|
Step |
Data Validation |
CWE-601
CWE-20
|
|
No TLS protocol specified in connection definition
|
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-327
|
|
JSONThreatProtection policy is not applied to a request body with JSON type
|
Flow |
Data Validation |
CWE-502
CWE-20
|
|
Insecure Quota configuration
|
Step |
Code Quality
Data Validation |
CWE-770
|
|
Flow accepts confidential data as URL parameters
|
Flow
PreFlow |
Data in Transit |
CWE-598
|
|
Low
|
|
Step operates undefined flow variables
|
Step |
Code Quality |
CWE-457
|
|
Sharedflow has not beeing scanned by CodeSent
|
FlowCallout |
Code Quality |
|
|
Policy errors are not caught
|
Step |
Error Handling |
CWE-390
|
|
Overcomplicated or malformed condition
|
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
No mask configuration for the proxy
|
Proxy |
Code Quality |
|
|
Missing security headers
|
Proxy |
Secure Configuration |
CWE-523
|