Bypassing AccessControl policy via True-Client-IP header
|
Critical |
AccessControl |
Data Validation |
CWE-290
|
Request content is stringified
|
Critical |
Step |
Data Validation
DoS Protection |
CWE-20
|
AssignMessage request parameters pollution
|
High |
AssignMessage |
Data Validation |
CWE-20
|
Insecure Quota configuration
|
High |
Step |
Code Quality
Data Validation |
CWE-770
|
JSONThreatProtection policy is not applied to a request body with JSON type
|
High |
Flow |
Data Validation |
CWE-502
CWE-20
|
Open Redirect
|
High |
Step |
Data Validation |
CWE-601
CWE-20
|
Proxy doesn't have default flow
|
High |
Proxy |
Code Quality
Data Validation |
CWE-20
|
Request Content is tainted by user input
|
High |
Step |
Data Validation |
CWE-20
CWE-116
|
Target URL is tainted by user input
|
High |
Step |
Data Validation |
CWE-22
CWE-233
CWE-918
CWE-20
|
Unsafe regular expression
|
High |
Step |
Data Validation |
CWE-1333
|
Unsafe variable is used to define host
|
High |
Step |
Data Validation |
CWE-20
|
User-controlled data in ServiceCallout
|
High |
Step |
Data Validation |
CWE-233
CWE-20
|
AccessControl allows all IPs
|
Medium |
AccessControl |
Data Validation |
CWE-290
|
Flow accepts requests with any method
|
Medium |
Flow |
Data Validation |
CWE-749
|
Flow doesn't limit HTTP methods correctly
|
Medium |
Flow |
Data Validation |
CWE-749
|
Insecure JSONThreatProtection policy
|
Medium |
JSONThreatProtection |
Code Quality
Data Validation |
CWE-770
CWE-20
|
MatchesPath is applied to a static parameter
|
Medium |
Target
Proxy |
Code Quality
Data Validation |
CWE-20
|