Property
Language
Severity

Description

Containers are defined without specifying CPU resource requests, preventing Kubernetes from accurately scheduling workloads based on node capacity and resource needs. This can lead to inefficient resource allocation and unpredictable application performance.

Impact

Without explicit CPU requests, pods may be scheduled onto nodes without sufficient resources, causing resource contention, degraded performance, or instability for both the affected pod and other workloads sharing the same node.

Property
Language	generic
Severity
CWE	CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

ASP.NET applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug to false or remove it from <compilation ... />

Property
Language
Severity
Service	iam
Provider	AWS

Description

CIS recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Resolution

Disable credentials which are no longer used.

Property
Language
Severity
Service	sql
Provider	Google
Vulnerability Type	omission

Description

Cross-database ownership chaining is enabled, allowing users in one SQL Server database to access objects in other databases without separate permissions. This configuration weakens isolation between databases and increases the risk of unintended data exposure.

Impact

If exploited, users or attackers could gain unauthorized access to sensitive data or functions across multiple databases, leading to potential data leaks, privilege escalation, or compromise of critical information within the SQL environment.

Property
Language	apex
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	High
Impact Level	High
Likelihood Level	Medium

Description

Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.

Property
Language	csharp
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

A state-changing MVC controller method is missing antiforgery token validation or strict content-type checks. This means that the method can be triggered by unauthorized requests from external sites.

Impact

Without these protections, attackers could exploit Cross-Site Request Forgery (CSRF) to perform actions on behalf of authenticated users, such as changing account data or making transactions, potentially leading to unauthorized access or data manipulation within your application.

Property
Language	generic
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The CSRF protection configuration may be incomplete, allowing certain HTTP request types (like ‘application/x-www-form-urlencoded’, ‘multipart/form-data’, or ’text/plain’) to bypass CSRF checks. Without properly blocking these content types, attackers could craft requests that trick users into performing unwanted actions.

Impact

If exploited, an attacker could perform unauthorized actions on behalf of authenticated users, such as changing account details or making transactions, potentially leading to data loss, fraud, or compromise of user accounts. This undermines user trust and may expose sensitive information or functions.

Property
Language	generic
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Forms in Django templates that handle data-changing requests (such as POST, PUT, DELETE, or PATCH) are missing a CSRF token. Without this token, the form is not protected against cross-site request forgery attacks.

Impact

If exploited, attackers could trick users into submitting unauthorized requests, potentially leading to unintended actions like changing user data, performing transactions, or compromising user accounts. This can result in data loss, unauthorized changes, or security breaches affecting both users and the organization.

Property
Language	generic
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	High
Impact Level	High
Likelihood Level	Medium

Description

Performing database operations (like insert, update, upsert, or delete) in Apex class constructors or static initializers can cause unintended changes to data just by loading a page, without any explicit user action. Only database queries are safe in these contexts.

Impact

Attackers could exploit this to trigger unauthorized data changes simply by accessing or causing others to access specific pages, leading to data corruption, privilege escalation, or loss of data integrity. This weakens access control and could compromise sensitive business operations within Salesforce.

Property
Language	generic
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

A form in your Laravel Blade template is using a state-changing HTTP method (like POST, PUT, PATCH, or DELETE) but is missing Laravel’s CSRF protection (such as the @csrf directive or a CSRF token). This leaves the form vulnerable to unauthorized requests from malicious sites.