In our internal security review there are some points which are open:

• Improper input validation in report creation page
• Insecure cookie attribute since cookie path is '/'
• Misconfigured csp header since unsafe inline and unsafe eval is present in header
• Password copy paste allowed in login page

WebUI R24.0

Check below answers from WebUI Engineering team;
1. Improper input validation in the report creation page
Its regarding the forecast tab in the WCC, where it accepts the / and script in the description field. The description field is a free flow text so no issues.

2. Insecure cookie attribute since cookie path is '/'
As the WebServer is specific to WebUI & AEWS and no other applications hosted on this web server, we would not have root level access to other applications. 
 
3. Misconfigured csp header since unsafe inline and unsafe eval is present in header
We use 'unsafe-inline' and 'unsafe-eval' content security policies with the value set to "Self" which would mean the scripts from outside the application domain cannot be invoked or used. As part of the modernization, we are eliminating this.
 
4. Password copy paste allowed in login page.
There is no way to control this at this point. But we can consider and address this as part of the WebUI modernization efforts 

Note: The WebUI modernization feature, which will be available in later releases of the WebUI component. At this time, we do not have confirmation regarding the specific release version for the fix.