OWASP A01:2021 – Broken Access Control

OWASP A02:2021 – Cryptographic Failures

OWASP A03:2021 – Injection

OWASP A04:2021 – Insecure Design

OWASP A05:2021 – Security Misconfiguration

OWASP A06:2021 – Vulnerable and Outdated Components

OWASP A07:2021 – Identification and Authentication Failures

OWASP A08:2021 – Software and Data Integrity Failures

OWASP A09:2021 – Security Logging and Monitoring Failures

OWASP A10:2021 – Server-Side Request Forgery (SSRF)

Broken Authorization

High

This allows a low privilege attacker to perform actions that a higher privilege user would normally have access to.

🧑‍🏭

Default Passwords Hardcoded

Low

In a default implementation of an openIMIS environment, an attacker with access with these passwords can potentially access confidential information.

GraphQL introspection enabled

Low

An attacker can map out the API’s schema and gather information related to its configuration. This could lead to further attacks and potential loss of sensitive information.

⛔

Cookie Without SECURE flag

Low

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

⛔