Both frontend and backend applications are typically deployed with code fragments for customization or may in some cases be written from scratch based on the CoreMedia APIs. Make sure to review source code for security issues.

Validate input data and handle imported data robustly. Be careful when external data causes the access of local resources, for example reading files or content objects or making server-side remote requests. XML parsing may leak local data through XML external entity (XXE) references. While the XML API in com.coremedia.xml has been hardened as far as possible, the native Java XML parsing might be more vulnerable.

Java serialization and deserialization must be used with care, because the JVM suspends certain protection mechanism for these operations, allowing both data leaks and code execution.

Note that a Unified API connection can perform all operations for which its logged-in user is authorized. A Unified API connection for the users studio and workflow may even incorporate other users, thereby gaining full access. This means that extensions of the Workflow Server, and Studio must be particularly well checked.