Low Medium Critical
Name Severity Scopes Tags Links
Bypassing AccessControl policy via True-Client-IP header Critical AccessControl Data Validation CWE-290
Connection to the system is not encrypted Critical ServiceCallout MessageLogging Target Data in Transit CWE-319
JWT/JWS is decoded but not verified in the same flow phase Critical Step Authentication & Authorisation CWE-347
Lack of certificate validation Critical ServiceCallout MessageLogging Target Data in Transit CWE-295
Request content is stringified Critical Step Data Validation DoS Protection CWE-20
Sensitive information is in the source code Critical Step Data at Rest CWE-256 CWE-312
AccessControl allows all IPs Medium AccessControl Data Validation CWE-290
Condition has undefined variables Medium Step RouteRule Flow Code Quality CWE-570 CWE-571
Error flow variable is set but not checked in request phase Medium Step Error Handling CWE-390
Flow accepts requests with any method Medium Flow Data Validation CWE-749
Flow doesn't limit HTTP methods correctly Medium Flow Data Validation CWE-749
Insecure JSONThreatProtection policy Medium JSONThreatProtection Code Quality Data Validation CWE-770 CWE-20
Insecure token expiration configuration Medium OAuthV2 Secure Configuration CWE-613
Lack of DefaultFaultRule Medium Target Proxy Error Handling CWE-390
Masked flow variable is written into unmasked one Medium Step Data at Rest CWE-532
MatchesPath is applied to a static parameter Medium Target Proxy Code Quality Data Validation CWE-20
No SpikeArrest policy is applied Medium Proxy Code Quality DoS Protection CWE-770
Private flow variable is written into public one Medium Step Data at Rest CWE-532
ServiceCallout policy uses default message object as a request Medium ServiceCallout Code Quality CWE-200
ServiceCallout policy uses default message object as a response Medium ServiceCallout Code Quality CWE-200