| Vulnerability Name | Classifications | Severity |
|---|---|---|
| SAML Response Signature Exclusion | CWE-16, ISO27001-a.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | High |
| SAML Response Without Signature | CWE-16, ISO27001-a.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | High |
| Server-Side Request Forgery (Apache Server Status) | CWE-918, ISO27001-A.14.2.5, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | High |
| Server-Side Request Forgery (AWS) | CWE-918, ISO27001-A.14.2.5, OWASP 2017-A5, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | High |
| Server-Side Request Forgery (elmah MVC) | PCI v3.2-6.5.6, CAPEC-347, CWE-918, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C | High |
| Server-Side Request Forgery (elmah) | PCI v3.2-6.5.6, CAPEC-347, CWE-918, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C | High |
| Server-Side Request Forgery (MySQL) | CWE-918, ISO27001-A.14.2.5, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | High |
| Server-Side Request Forgery (SSH) | CWE-918, ISO27001-A.14.2.5, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | High |
| Server-Side Template Injection (IAST) | PCI v3.2-6.5.1, CAPEC-66, CWE-20, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-19, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | High |
| Stored Cross-site Scripting | PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | High |
| SVN Detected | CAPEC-118, CWE-527, ISO27001-A.9.4.1, WASC-13, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | High |
| TorchServe Management API Publicly Exposed | PCI v3.2-6.5.8, CAPEC-212, CWE-200, HIPAA-164.312(a)(1), ISO27001-A.18.1.3, WASC-14, OWASP 2013-A5, OWASP 2017-A6 | High |
| Trace.axd Detected | PCI v3.2-6.5.6, CAPEC-347, CWE-16, HIPAA-164.306(a), 164.308(a), ISO27001-A.18.1.3, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C | High |
| Unrestricted File Upload | PCI v3.2-6.5.1, CWE-434, ISO27001-A.14.2.5, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | High |
| Weak Basic Authentication Credentials | PCI v3.2-6.5.10, CAPEC-16, CWE-521, ISO27001-A.9.4.3, WASC-15, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | High |
| Weak Secret is Used to Sign JWT | CWE-347, OWASP 2017-A2, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | High |
| WebDAV Directory Has Write Permissions | PCI v3.2-6.5.8, CWE-732, ISO27001-A.9.4.1, WASC-17, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C | High |
| WebDAV Directory Has Write Permissions (IIS) | PCI v3.2-6.5.8, CWE-732, ISO27001-A.9.4.1, WASC-17, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C | High |
| XML External Entity Injection | PCI v3.2-6.5.1, CAPEC-376, CWE-611, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-43, OWASP 2013-A1, OWASP 2017-A4, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H | High |
| XML External Entity Injection (IAST) | CWE-611, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | High |
| XPath Injection (IAST) | PCI v3.2-6.5.1, CAPEC-66, CWE-20, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-19, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | High |
| Active Mixed Content over HTTPS | CWE-319, ISO27001-A.14.1.3, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | Medium |
| Anonymous Ciphers Supported | PCI v3.2-6.5.4, CAPEC-117, CWE-311, ISO27001-A.14.1.3, WASC-4, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N | Medium |
| Apache Server-Info Detected | CAPEC-347, CWE-16, ISO27001-A.18.1.3, WASC-14, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C | Medium |
| Apache Server-Status Detected | CAPEC-347, CWE-16, ISO27001-A.18.1.3, WASC-14, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C | Medium |
| ASP.NET Cookieless Authentication Is Enabled | CWE-16, OWASP 2013-A5, OWASP 2017-A6 | Medium |
| ASP.NET Cookieless Session State Is Enabled | CWE-16, OWASP 2013-A5, OWASP 2017-A6 | Medium |
| ASP.NET CustomErrors Is Disabled | CWE-16, OWASP 2013-A6, OWASP 2017-A3 | Medium |
| ASP.NET Login Credentials Stored In Plain Text | CWE-312, OWASP 2013-A6, OWASP 2017-A3 | Medium |
| ASP.NET ValidateRequest Is Globally Disabled | CWE-16, OWASP 2013-A5, OWASP 2017-A6 | Medium |
| ASP.NET: Failure To Require SSL For Authentication Cookies | CWE-16, OWASP 2017-A6 | Medium |
| Axis Development Mode Enabled in WEB-INF/server-config.wsdd | CWE-16, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| Axis system configuration listing enabled in WEB-INF/server-config.wsdd | CWE-16, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| Base Tag Hijacking | PCI v3.2-6.5.7, CAPEC-19, CWE-20, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | Medium |
| BREACH Attack Detected | CWE-310, OWASP 2013-A9, OWASP 2017-A9, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | Medium |
| Critical Form Send to HTTP | PCI v3.2-6.5.4, CAPEC-65, CWE-319, ISO27001-A.14.1.3, WASC-4, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Medium |
| Critical Form Served over HTTP | PCI v3.2-6.5.4, CAPEC-65, CWE-319, ISO27001-A.14.1.3, WASC-4, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Medium |
| Custom Error Pages Are Not Configured in WEB-INF/web.xml | CWE-16, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| CVS Detected | CAPEC-118, CWE-527, ISO27001-A.9.4.5, WASC-13, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Medium |
| Expired SSL Certificate | CWE-295, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | Medium |
| Express Development Mode Is Enabled | CWE-200, ISO27001-A.9.4.1, WASC-14, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Medium |
| Express express-session Weak Secret Key Detected | CWE-200, WASC-14, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| Frame Injection | PCI v3.2-6.5.1, CWE-601, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-38, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N | Medium |
| GIT Detected | CAPEC-118, CWE-527, ISO27001-A.9.4.5, WASC-13, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Medium |
| HTTP Header Injection | PCI v3.2-6.5.1, CAPEC-105, CWE-93, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-24, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N | Medium |
| HTTP Header Injection (IAST) | PCI v3.2-6.5.1, CAPEC-105, CWE-93, HIPAA-164.306(a), 164.308(a), ISO27001-A.14.2.5, WASC-24, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N | Medium |
| HTTP Strict Transport Security (HSTS) Errors and Warnings | CWE-16, ISO27001-A.14.1.2, WASC-15, OWASP 2013-A5, OWASP 2017-A6 | Medium |
| HTTP Strict Transport Security (HSTS) Policy Not Enabled | CAPEC-217, CWE-523, ISO27001-A.14.1.2, WASC-4, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L | Medium |
| Insecure HTTP Usage | ISO27001-A.14.1.3, WASC-4, OWASP 2013-A5, OWASP 2017-A3, CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Medium |
| Insecure Transportation Security Protocol Supported (SSLv3) | PCI v3.2-6.5.4, CAPEC-217, CWE-326, HIPAA-164.306, ISO27001-A.14.1.3, WASC-4, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C | Medium |
| Invalid SSL Certificate | PCI v3.2-6.5.4, CAPEC-459, CWE-295, ISO27001-A.14.1.3, WASC-4, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | Medium |
| Java Verb Tampering Via Misconfigured Security Constraint | CWE-16, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| JavaMelody Interface Detected | CAPEC-347, CWE-16, ISO27001-A.18.1.3, WASC-14, OWASP 2013-A5, OWASP 2017-A6 | Medium |
| JetBrains .idea Project Directory Detected | CAPEC-118, CWE-285, ISO27001-A9.4.5, WASC-13, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Medium |
| Microsoft Access Database File Detected | PCI v3.2-6.5.8, CWE-285, ISO27001-A.18.1.3, WASC-2, OWASP 2013-A7, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Medium |
| Node.js Web Application does not handle uncaughtException | CWE-248, WASC-14, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| Node.js Web Application does not handle unhandledRejection | CWE-248, WASC-14, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| Open Policy Crossdomain.xml Detected | CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C | Medium |
| Open Redirection | CWE-601, ISO27001-A.14.2.5, WASC-38, OWASP 2013-A10, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | Medium |
| Open Redirection (DOM based) | CWE-601, ISO27001-A.14.2.5, WASC-38, OWASP 2013-A10, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N | Medium |
| Open Silverlight Client Access Policy | CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C | Medium |
| Overly Long Session Timeout | CWE-16, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| Password Transmitted over Query String | PCI v3.2-6.5.4, CWE-598, ISO27001-A.14.2.5, WASC-13, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | Medium |
| PHP enable_dl Is Enabled | CWE-16, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | Medium |
| PHP register_globals Is Enabled | CWE-473, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N | Medium |
| PHP session.use_only_cookies Is Disabled | CWE-598, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | Medium |
| PHP session.use_trans_sid Is Enabled | CWE-598, OWASP 2013-A5, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | Medium |
| Revoked SSL Certificate | CWE-295, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | Medium |
| RSA Private Key Detected | CAPEC-118, CWE-200, ISO27001-A.18.1.3, WASC-13, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | Medium |
| SAML Consumer Service KeyInfo RetrievalMethod SSRF | CWE-918, ISO27001-a.14.2.5, WASC-20, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Medium |
| SAML Consumer Service XSS Vulnerability | PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-a.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7 | Medium |
| Sensitive Data Exposure | PCI v3.2-6.5.6, CAPEC-37, CWE-200, ISO27001-A.8.2.1, WASC-WASC-13, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Medium |
| Sensitive Data Exposure – Amazon AWS Access Key Id | PCI v3.2-6.5.6, CAPEC-37, CWE-200, ISO27001-A.8.2.1, WASC-WASC-13, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Medium |
| Sensitive Data Exposure – Amazon AWS Secret Key | PCI v3.2-6.5.6, CAPEC-37, CWE-200, ISO27001-A.8.2.1, WASC-WASC-13, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Medium |
| Sensitive Data Exposure – Amazon MWS Auth Token | PCI v3.2-6.5.6, CAPEC-37, CWE-200, ISO27001-A.8.2.1, WASC-WASC-13, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Medium |