Vulnerability Severity Levels
Acunetix 360 scans for a wide variety of vulnerabilities in websites, web applications and web services. Each vulnerability has a different impact; some need to be addressed urgently, while others are less of a priority. For example, an SQL Injection vulnerability should definitely be prioritized over an Internal IP address disclosure.
What Are Vulnerability Severities?
To help you better decide which vulnerabilities should be fixed first, Acunetix 360 prioritises them in its scans and reports using the following vulnerability severity levels:
- High ()
- Medium ()
- Low ()
In addition, there are Information Alerts ().
High Severity Web Vulnerabilities
This section explains how Acunetix 360 defines and identifies web vulnerabilities of High severity ().
High Severity Example
This is what a report of a High severity vulnerability looks like in Acunetix 360.
Impacts of High Severity Vulnerabilities
Depending on the type of High Severity Vulnerability, attackers can take full or partial control of the server, gain access or take control of the backend database, access sensitive information, use your server to launch attacks against other servers, or gain access to user accounts, including admin accounts.
Suggested Action for High Severity Vulnerabilities
Considering the impact of High Severity Vulnerabilities, these type of vulnerabilities should be fixed immediately. Once you fix them, rescan your website to make sure they have been eliminated.
Medium Severity Web Vulnerabilities
This section explains how Acunetix 360 defines and identifies web vulnerabilities of Medium severity ().
Medium Severity Example
This is what a report of a Medium severity vulnerability looks like in Acunetix 360.
Impacts of Medium Severity Vulnerabilities
By exploiting Medium Severity Vulnerabilities, attackers will gain information and reconnaissance useful for their attack. Medium Severity vulnerabilities are often used to better understand your system, allowing them to refine and escalate the attacks. Such vulnerabilities can sometimes be connected, to increase the potential damage of the attack.
Suggested Action for Medium Severity Vulnerabilities
Most of the time, since the impact of Medium severity vulnerabilities is not direct, you should first focus on fixing High severity vulnerabilities. However, Medium severity vulnerabilities should still be addressed at the earliest possible opportunity.
Low Severity Web Vulnerabilities
This section explains how we define and identify web vulnerabilities of Low severity ().
Low Severity Example
This is what a report of a Low severity vulnerability looks like in Acunetix 360.
Impacts of Low Severity Vulnerabilities
Do not overly concern yourself if your website has low severity vulnerabilities. These types of issues do not have any significant impact and are not exploitable.
Suggested Action For Low Severity Vulnerabilities
If time and budget allows, it is worth investigating and fixing Low severity vulnerabilities .
This section explains how we define and use Information alerts ().
Impacts of Information Alerts
Acunetix 360 does not even classify these alerts as vulnerabilities. They are reported simply for your information as a website owner, as they may not have a direct impact but could help an attacker to gain a better understanding of your underlying systems.
Suggested Action for Information Alerts
In most cases, no action or fix is required. It is sometimes good to know about things that are on your web application such as: NTLM Authorization Required, Email Address found, Robots.txt Detected, Web server version exposed or WAF detected. The status of these vulnerabilities is set to 'Accepted Risk'. Vulnerabilities with 'Accepted Risk' status are listed in the Addressed Issues page.