Vulnerability Classification in Acunetix

The way most people think about vulnerabilities is usually in terms of severity — which is why Acunetix defaults to using a straight-forward, color-coded ‘high’, ‘medium’, ‘low’ severity rating for the vulnerabilities it finds. However, Acunetix also provides other vulnerability classifications which may prove useful in situations where additional vulnerability classification information is required.

The following is a list of classifications available in Acunetix for each vulnerability alert (where applicable).

Severity

Severity is a metric for classifying the level of risk which a security vulnerability poses.

The severity level of a vulnerability is assigned based on the security risk posed to an organization should the vulnerability be exploited, as well as the degree of difficulty involved in exploiting it. The result of a successful attack by exploiting a vulnerability could vary from denial of service and information disclosure, to a complete compromise of applications or systems.

The following provides a description of what the results in this analysis consider to be the impact of each vulnerability severity level.

Severity Icon Description
High  High severity vulnerability An attacker can fully compromise the confidentiality, integrity or availability, of a target system without specialized access, user interaction or circumstances that are beyond the attacker’s control. Very likely to allow lateral movement and escalation of attack to other systems on the internal network of the vulnerable application.
Medium  Medium Severity Vulnerability An attacker can partially compromise the confidentiality, integrity or availability, of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control may be required for an attack to succeed. Very likely to be used in conjunction with other vulnerabilities to escalate an attack.
Low  Low severity vulnerability An attacker can limitedly compromise the confidentiality, integrity or availability, of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control is required for an attack to succeed. Needs to be used in conjunction with other vulnerabilities to escalate an attack.

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure is given a CVE identifier which is in-turn used across the board by vendors, advisory bodies and vulnerability databases.

Where applicable, Acunetix will show one or more CVEs associated with the vulnerability detected. Upon following the link to the CVE, you will be taken to the CVE database with details about that CVE.

Common Vulnerability Scoring System (CVSS)

Common Vulnerability Scoring System (CVSS) is an open standard for assessing the severity of security vulnerabilities. CVSS is specifically designed to not only be independent to a specific vendor or industry, but also interoperable across systems.

CVSS

Acunetix also supports CVSS v3.0 and following the CVSS v3.0 score link will even take you to the CVSS v3.0 calculator right from Acunetix by following the CVSS v3.0 link.

Vulnerability Classification

Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is an open community project that aims at creating a catalog of software weaknesses and vulnerabilities. CWE provides vendor and industry independent identifiers for common vulnerabilities, meaning that CWE identifiers can, be used across different systems and by different vendors easily.

Share this post
  • Hi, I had little question considering the vulnerability classification when using Acunetix.
    I sometimes encounter vulnerabilities where CVSSv3 score is classified as “High” but in Acunetix metric, it’s only “informational”. (For example, “Possible username or password disclosure”.)
    This may cause some debate on which vulnerability is acceptable and which should not pass our inspection, so I’d like to know how Acunetix classification was done. Thank you!

    • Hi,

      It is common for the Acunetix severity rating to be different than that provided by CVSSv3. Usually, the rating provided by Acunetix is higher, since from a web security point of view, the vulnerability is considered as high, whereas the scoring system used by CVSS gives a lower marking.

      In your example, Acunetix probably gave a lower rating, since it is not possible for Acunetix to be sure that the username or password have been disclosed. You can however report the specific incident to our support team (support@acunetix.com), so we can check the issue further.

  • Hi,

    Our organization requires us to report vulnerability findings with “Critical” rating, where as you currently only offer up to “High” severity rating. Is there anyway possible that we can get this functionality as an option on the Acunetix platform?

  • Leave a Reply

    Your email address will not be published.