The web application was found to provide several endpoints which allowed for unauthenticated data retrieval. For example, the following endpoints were found to return CSV lists with no authentication necessary:
The /Stream/ProjectsCSV endpoint allowed for the retrieval of all projects and their related information.
Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)
Fixed in: 12.0.22 (Cloud) 11.4.10 (On-Premise)