|
JWT is decoded but not verified in the same flow phase
|
Critical |
Step |
Authentication & Auhtorisation |
CWE-347
|
|
Request content is stringified
|
Critical |
Step |
Data Validation
DoS Protection |
CWE-20
|
|
Flow accepts confidential data as URL parameters
|
High |
Flow
PreFlow |
Data in Transit |
CWE-598
|
|
Request Content is tainted by user input
|
High |
Step |
Data Validation |
CWE-20
CWE-116
|
|
Target URL is tainted by user input
|
High |
Step |
Data Validation |
CWE-22
CWE-233
CWE-918
CWE-20
|
|
JSONThreatProtection policy is not applied to a request body with JSON type
|
High |
Flow |
Data Validation |
CWE-502
CWE-20
|
|
Masked flow variable is written into unmasked one
|
High |
Step |
Data at Rest |
CWE-532
|
|
Insecure Quota configuration
|
High |
Step |
Code Quality
Data Validation |
CWE-770
|
|
User-controlled data in ServiceCallout
|
High |
Step |
Data Validation |
CWE-233
CWE-20
|
|
Open Redirect
|
High |
Step |
Data Validation |
CWE-601
CWE-20
|
|
Policy sets confidential data in URL parameters
|
High |
Step |
Data in Transit |
CWE-598
|
|
Unsafe variable is used to define host
|
High |
Step |
Data Validation |
CWE-20
|
|
Confidential data is used as a cache key
|
High |
Step |
Data at Rest |
CWE-256
CWE-312
|
|
Private flow variable is written into public one
|
Medium |
Step |
Data at Rest |
CWE-532
|
|
Condition has undefined variables
|
Medium |
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Error flow variable is set but not checked in request phase
|
Medium |
Step |
Error Handling |
CWE-390
|
|
Policy errors are not caught
|
Low |
Step |
Error Handling |
CWE-390
|
|
Overcomplicated or malformed condition
|
Low |
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Step operates undefined flow variables
|
Low |
Step |
Code Quality |
CWE-457
|
|
Unused flow variables
|
Info |
Step |
Code Quality |
CWE-563
|