Excessive Data Exposure issue

Hello everyone. Hope someone can shed some light on an issue that is driving me crazy.
An API (written in C#) that I work with started returning 3 medium threats on “Excessive Data Exposure”. I started researching and found that probably the issue had to do with the endpoints returning too much data. Steps I took included

  1. Modify the sql query to return only 2 of the original 20 fields ( we were doing a select * )
  2. Creating a specific DTO for the object returned, including only those 2 fields
    But CxSAST scans keep returning the medium threats…

What else should I be looking at?

If this question needs to be redirected to a different forum, please let me know