• The fact that debugging is enabled is arguably API7, a security misconfiguration.
• The same goes for the API floating on v1 with admin functionality. This is a shadow API, API7.
• The fact a low priviledge user can view the admin interface is API5 for the broken authentication on object level and not on id level, we do not have that parameter.
• The password is plaintext, this is bad.
• There is excessive data exposure (API3) due to having the password returned, there should never be a need for this.