Difference between Fixed, Ignored and False Positive

When checking vulnerabilities, you have the option of marking a vulnerability as either Fixed, Ignored or False Positive.

Fixed should be used when the vulnerability has been fixed by the developers. If the vulnerability is detected again, it will be re-opened and marked as Rediscovered.

Ignored should be used for vulnerabilities when you know about a vulnerability but do not want to be informed about it in the future. This status should be used with caution.

False Positive should be used in the rare occasion that a vulnerability is reported incorrectly by Acunetix. This status is used after the vulnerability has been verified manually. Kindly report False Positives to our support team.

Share this post
  • When running a scan on this website we are receiving the following vulnerability on our system when we run the free scan with only PHP checked under Advanced > Technologies:
    Apache Struts2 Remote Command Execution (S2-052)

    We believe that this is a false positive because we have checked our server and have confirmed that there is no trace of Java or Struts on the server at all.

    The website is using primarily php, with javascript and html so there is no use of Java on it.

    • Hi,

      Can you please share details of the site you are scanning, so we can check why this is occurring – pls send these to our support team. In the meantime, you can mark the vulnerability as False positive and it will not be reported in future scans.

  • Leave a Reply

    Your email address will not be published.