1. Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’) (CWE-89): The database server could be compromised or attacked by denial of service due to unvalidated parameters
2. Weak Credential (CWE-521): Default administrative credentials were used in web sites.
3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) (Reflected): A user’s computer could be compromised due to improper input handling with persistent malicious script
4. Missing Function Level Access Control (CWE-935): Unauthorized user could access and use functions of administrative user.
5. Unsupported Software Version : The running both desktop application and operating system were obsoleted lead to the server could be compromised.
6. Outdated Software Version: The running application was obsoleted lead to the server could be compromised.
7. Cross-Site Request Forgery (CSRF) (CWE-352): Information could be inserted and modified unintentionally.
8. Plaintext Storage of a password (CWE-256) : User's password was appeared on administrative console and stored as plaintext format when data at rest.
9. Sensitive Cookie Without "HttpOnly" Attribute Set (CWE-614): User's cookie could be disclosed due to "HttpOnly" cookie attribute was not set.
10. File and Directory Information Exposure (CWE-538): Sensitive information on the server could be obtained from Directory Listing vulnerability.
11. Protection Mechanism Failure (CWE-693): User’s credential could be stolen by deceiving a user to access a counterfeit website which render the legitimate website because of the x-frame option was not set.
12. Information Leakage Through HTTP Response Header (CWE-200): Version of server and Development framework information could be disclosed.
13. Information Exposure through Unnecessary Page (CWE-531): Test/Unnecessary pages containing useful information for an attacker.
14. Information Exposure Through Server Error Message (CWE-550): Web application lacked to handle errors lead the sensitive information was thrown.
15. Missing HTTP Security Header: Secure headers were not set on web server.
16. Information Exposure (Unnecessary HTTP Method) (CWE-200): HTTP OPTIONS and TRACE Method Enabled.
17. Information Exposure Through Browser Caching (CWE-525): User’s information which were stored in the machine by auto-complete function could be obtained.
Load balance : Server 05
