The way most people think about vulnerabilities is usually in terms of severity — which is why Acunetix defaults to using a straight-forward, color-coded "high", "medium", "low", and "info" severity rating for the vulnerabilities or issues it finds. However, Acunetix also provides other vulnerability classifications which may prove useful in situations where additional vulnerability classification information is required.
The following is a list of classifications available in Acunetix for each vulnerability alert (where applicable).
Severity is a metric for classifying the level of risk which a security vulnerability poses.
The severity level of a vulnerability is assigned based on the security risk posed to an organization should the vulnerability be exploited, as well as the degree of difficulty involved in exploiting it. The result of a successful attack by exploiting a vulnerability could vary from denial of service and information disclosure, to a complete compromise of applications or systems.
The following provides a description of what the results in this analysis consider to be the impact of each vulnerability severity level.
An attacker can fully compromise the confidentiality, integrity or availability, of a target system without specialized access, user interaction or circumstances that are beyond the attacker’s control. Very likely to allow lateral movement and escalation of attack to other systems on the internal network of the vulnerable application.
An attacker can partially compromise the confidentiality, integrity, or availability of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control may be required for an attack to succeed. Very likely to be used in conjunction with other vulnerabilities to escalate an attack.
An attacker has limited scope to compromise the confidentiality, integrity, or availability of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control is required for an attack to succeed. Needs to be used in conjunction with other vulnerabilities to escalate an attack.
An attacker can obtain information about the web site. This is not necessarily a vulnerability, but any information which an attacker obtains might be used to more accurately craft an attack at a later date. Recommended to restrict as far as possible any information disclosure.
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure is given a CVE identifier which is in-turn used across the board by vendors, advisory bodies and vulnerability databases.
Where applicable, Acunetix will show one or more CVEs associated with the vulnerability detected. Upon following the link to the CVE, you will be taken to the CVE database with details about that CVE.
Common Vulnerability Scoring System (CVSS)
Common Vulnerability Scoring System (CVSS) is an open standard for assessing the severity of security vulnerabilities. CVSS is specifically designed to not only be independent to a specific vendor or industry, but also interoperable across systems.
Acunetix also supports CVSS v3.0 and following the CVSS v3.0 score link will even take you to the CVSS v3.0 calculator right from Acunetix by following the CVSS v3.0 link.
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration (CWE) is an open community project that aims at creating a catalog of software weaknesses and vulnerabilities. CWE provides vendor and industry independent identifiers for common vulnerabilities, meaning that CWE identifiers can be used across different systems and by different vendors easily.