For Developers
Could this give an attacker access to data they shouldn't see? (Think: user info, payment data, internal business data, API keys, passwords, etc.)
Could an attacker use this to change code, databases, configurations, or third-party services you use?
Could this allow changes happen without appearing in logs, version control, or monitoring systems?
Could exploitation of this cause damage that requires rebuilding, restoring from backups, or manual intervention to fix?
Can someone exploit this without logging in or having an account?
Does the attacker need to be a system admin, database admin, or have elevated permissions?
Could this issue be exploited work over the web/API, or does someone need to be on your local network?
Can someone exploit this with standard hacking tools, or do they need to code something from scratch?
Can this only be exploited under specific circumstances (certain configs, timing, user actions, etc.)?
Does this require compromising databases, APIs, or other services before it can be exploited?