Platform
Solutions
Pricing
Why Invicti
Resources Library
Get a demo
Home
/
Web Application Vulnerabilities
/
API Misconfiguration
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
API Misconfiguration
This page lists
36 vulnerabilities
in this category.
Vulnerability Name
CVE
CWE
Severity
Weak password
-
CWE-200
High
Web application default/weak credentials
-
CWE-200
High
JWT Signature Bypass via unvalidated x5u parameter
-
CWE-287
High
JWT Signature Bypass via unvalidated x5c parameter
-
CWE-287
High
JWT Signature Bypass via kid SQL injection
-
CWE-287
High
JWT Signature Bypass via kid Path Traversal
-
CWE-287
High
JWT Signature Bypass via unvalidated jwk parameter
-
CWE-287
High
JWT Signature Bypass via unvalidated jku parameter
-
CWE-287
High
Microservice Directory Traversal
-
CWE-22
High
SAML Respose signature exclusion
-
CWE-16
High
No SAML Respose signature check
-
CWE-16
High
SAML Response without signature
-
CWE-16
High
SAML Consumer Service XSS vulnerability
-
CWE-80
High
Unvalidated JWT jku parameter
-
CWE-287
High
X-Forwarded-For HTTP header security bypass
-
CWE-287
High
Struts 2 development mode
-
CWE-489
High
GraphiQL Explorer/Playground Enabled
-
CWE-200
Medium
SSL/TLS Not Implemented
-
CWE-319
Medium
Spring Boot Actuator
-
CWE-489
Medium
Spring Boot Actuator v2
-
CWE-489
Medium
Old API Version Exposed
-
CWE-693
Medium
Sensitive Data Exposure
-
CWE-200
Medium
GraphQL Field Suggestions Enabled
-
CWE-200
Medium
HTTP Strict Transport Security (HSTS) Policy Not Enabled
-
CWE-16
Medium
GraphQL Unhandled Error Leakage
-
CWE-209
Medium
GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability
-
CWE-770
Medium
GraphQL Non-JSON Queries over POST: Potential CSRF Vulnerability
-
CWE-352
Medium
GraphQL Introspection Query Enabled
-
CWE-200
Medium
GraphQL Non-JSON Mutations over GET: Potential CSRF Vulnerability
-
CWE-352
Medium
GraphQL Non-JSON Queries over GET: Potential CSRF Vulnerability
-
CWE-352
Medium
Missing Content-Type Header
-
CWE-16
Low
Sensitive pages could be cached
-
CWE-200
Low
Access-Control-Allow-Origin header with wildcard (*) value
-
CWE-284
Information
Permissions-Policy header not implemented
-
CWE-1021
Information
Insecure Referrer Policy
-
CWE-16
Information
Content Security Policy (CSP) Not Implemented
-
CWE-16
Information
