A security scan may identify a CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), also known as API Mass Assignment, within the DX Unified Infrastructure Management (UIM) backend API.

DX UIM Operator Console - any version

This finding is typically triggered by automated scanners that detect endpoints accepting structured data (JSON/XML). The scanner assumes the backend might automatically bind all input fields to internal data models without a filtering layer.

This finding is a False Positive.

DX UIM employs a secure data-binding architecture that prevents Mass Assignment vulnerabilities through the following mechanisms:

• Strict Data Transfer Objects (DTOs): Every API endpoint that accepts a request payload uses specific DTO classes to map the request body to a strictly defined schema.
• Schema Validation: Incoming parameters are validated against these predefined schemas. Any field that is not explicitly defined in the DTO is automatically stripped and ignored by the backend.
• Input Sanitization: Each valid parameter undergoes additional validation against business rules and data types before being passed to the application logic.
• Decoupled Architecture: The API layer is decoupled from the underlying data persistence layer, ensuring that internal system attributes cannot be modified through external API payloads.

Because the backend rejects or ignores any data not matching the defined schema, the inclusion of extra parameters by a user does not pose a security risk.