A1:2017-Exposed JS File (EJF): Having a .JS File exposed. This vulnerability would allow an attacker to expoit your webshell and upload a reverse shell onto the website. An example of this vulnerability in the wild can be seen here: https://doxbin.org/legacy/jquery.min.js
A2:2017-Exposed Login Page: Login page being accessible to the public. This should never be the case, as someone could login using it.
A3:2017-Having Subdomains: Many web applications might have subdomains (e.g. login.example.com, cdn.example.com). This is a vulnerability because it allows an attacker to visit your subdomains. An attacker could then possibly find a login page, which is another vulnerability.
A4:2017-Error Pages Enabled (EPE): Any type of error page (403, 404, 429) is considered a high level vulnerability. It allows an attacker to know that there is something there and/or there is a critical buffer overflow. This is especially dangerous when someone attempts to access a file that doesn't exist, because when they get the 404 error then they know there isn't a file there.
A5:2017-Using an API: Using an API is not recommended. It can allow an attacker to use a website correctly. This would then allow the attacker to further pentest your website, as if the API works then they can use the website.
A6:2017-Port 443 Open: Having port 443 open is a flaw that allows an attacker to visit port 443 on your network. They may be able to visit your website via this port if it is open and configured correctly. We highly recommend using only port 80 for communication via computers.
A7:2017-Public Beta Files: A Public Beta may allow an attacker to gain insider knowledge as to how a program may operate in the future. This is very dangerous, as attackers will be able to plan on how to attack a website in the future.
A8:2017-Having URL Parameters (HUP): Having URL Parameters can allow an attacker to get SQLI on your website. No matter how a parameter is passed to a web application, it is always vulnerable. It is common practice to not use URL parameters these days due to the critical vulnerabilities they can cause.
A9:2017-Having Security Questions: Having security questions on your accounts is a vulnerability because it allows attackers to infiltrate systems and extract data.
A10:2017-HTML Code Disclosure (HCD): Exposing your HTML Code can lead to attackers being able to steal your website and clone it. It can also lead to attackers figuring out how your website works, and then they could upload a web shell and extract data from your webserver.
thx for the info you saved my life