/alerttags/cwe-16/ Recent content in CWE-16 on ZAP Hugo en-us /docs/alerts/10063-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10063-2/ <p>The header has now been renamed to Permissions-Policy.</p> /docs/alerts/10058/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10058/ <p>A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.</p> /docs/alerts/50007-3/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/50007-3/ <p>A circular reference was detected in the GraphQL schema, where object types reference each other in a cycle. This can be exploited by attackers to craft deeply recursive queries, potentially leading to Denial of Service (DoS) conditions.</p> /docs/alerts/50007-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/50007-1/ <p>The GraphQL endpoint has Introspection enabled. Introspection allows clients to query the schema and retrieve detailed information about the fields, types, inputs, etc. supported by the GraphQL endpoint. This may be valuable to an attacker, as it could enable them to craft more targeted queries.</p>