Vulnerability severity levels
Acunetix scans for a wide variety of vulnerabilities in websites, web applications, and web services. Automation makes it easy to scan websites and prioritize the findings, helping you decide which ones to tackle first based on defining acceptable risks from a corporate point of view.
Each vulnerability has a different impact:
- Some vulnerabilities need to be addressed urgently because they cause the application to be compromised or damaged by attackers (Critical, High), while others are less of a priority (Low). For example, an SQL injection vulnerability should definitely be prioritized over an Internal IP address disclosure.
- Information Alerts give information that is relevant to the target application's infrastructure to help you implement additional security measures.
What are vulnerability severities?
To help you better decide which vulnerabilities should be fixed first, Acunetix categorizes them using threat levels in its scan results and reports.
Vulnerability Severity Level
Critical vulnerabilities put the target website at maximum risk for hacking and data theft. Make it your highest priority to fix these vulnerabilities immediately.
High vulnerabilities put the target website at risk of being hacked and can lead hackers to find other vulnerabilities. Fix these high vulnerabilities immediately.
Medium vulnerabilities are caused by server misconfigurations and site-coding flaws, which facilitate server disruption and intrusion. They do not directly affect the application or system but should still be fixed.
Low vulnerabilities are derived from a lack of data traffic encryption or directory path disclosures. These issues should be determined by assessing the context in the application and by considering the business impacts.
Information alerts help software developers make web applications that are secure by design.
For a full list of vulnerabilities and their classification, refer to our Web Application Vulnerabilities Index.
Critical severity web vulnerabilities
Issues marked as critical severity can allow attackers to execute code on the web application or application server, or access sensitive data.
Impacts of critical severity web vulnerabilities
- Examples include SQL injection, remote code execution, and command injections. In exploiting this type of vulnerability, attackers could carry out a range of malicious acts that could, for example, affect a web application's availability or put its confidentiality and security at risk.
- In addition, it is the existence and prevalence of automated exploitation tools that make fixing these types of issues urgent.
Suggested action for critical severity vulnerabilities
A critical severity vulnerability means that your website is at risk of being hacked at any time. We recommend you make it your highest priority to fix these vulnerabilities immediately.
High severity web vulnerabilities
Issues marked as high severity can allow malicious attackers to access application resources and data. This can allow an attacker to steal session information or sensitive data from the application or server.
The difference between critical and high severity is that with a high severity vulnerability, a malicious attacker cannot execute code or a command on the application or server.
Impacts of high severity vulnerabilities
- Examples include XSS, XML external entity injection and LFI.
In the case of a detected XSS vulnerability, an attacker could:
- Execute script code in the user's browser
- Steal the user's cookies
In the case of a detected XXE vulnerability, an attacker could:
- Read sensitive data in the server
- Make requests to internal or external resources
- Attackers conducting this type of attack have some technical skills, but many tools make the exploitation process automated.
High severity example
This is what a report of a high severity vulnerability looks like in Acunetix.
Suggested action for high severity vulnerabilities
A high severity vulnerability means that your website can be hacked and can lead hackers to find other vulnerabilities that have a bigger impact. We recommend that you fix these types of vulnerabilities immediately.
Medium severity web vulnerabilities
Issues marked as medium severity usually arise because of errors and deficiencies in the application configuration. By exploiting these security issues, malicious attackers can access sensitive information on the application or server.
In comparison to critical and high severity issues, the impact is relatively limited.
Impacts of medium severity vulnerabilities
- Attackers conducting this type of attack require more skill than those exploiting critical and high severities.
- Exploitation of these types of vulnerabilities can depend on the existence of some special conditions. For example, in the case of SSL/TLS certificate issues, or misconfiguration of TLS, an attacker has to be in an appropriate location to be able to eavesdrop on the connection of the victim.
Medium severity example
This is what a report of a medium severity vulnerability looks like in Acunetix.
Suggested action for medium severity vulnerabilities
Even though special conditions are required to exploit medium severity issues, and they don't directly affect the application or system (in contrast to critical and high severities), in order to keep your web application secure and comply with the regulations, they should still be fixed.
Low severity web vulnerabilities
Issues marked as low severity include information leakage, configuration errors, and a lack of some security measures. They can be combined with other issues of a higher severity level and can be used in conjunction with social engineering (manipulating people into following certain actions or revealing crucial information) to cause a more severe impact on the target.
In comparison to critical, high, and medium severity issues, these findings have limited effect.
Impacts of low severity vulnerabilities
- When a website reveals the version number of an application, an attacker can carry out vulnerability mapping by looking at the vulnerability database to see if an issue exists in that version of the application and then exploiting it.
- Acunetix reports username disclosure vulnerabilities when related to Windows or Linux operating systems or RDBMS. Though they are flagged as low level vulnerabilities by themselves, an attacker could use this information to find a way to access the target application's operating system or database system.
- In the case of application configuration errors and deficiencies such as an X-Frame-Options header (XFO) – which controls whether a website is loaded by itself, another site or neither – Acunetix reports a missing XFO if the scanned web application does not set, or mistakenly sets, the XFO header. An attacker could exploit these configuration errors by convincing an authorized user to click on a malicious link or button (a potentially state-changing operation), that could result in the deletion of records or uncover hidden resources.
Low severity example
This is what a report of a low severity vulnerability looks like in Acunetix.
Suggested action for low severity vulnerabilities
A decision on whether to fix these issues should be determined by assessing the context in the application and by considering the business impacts.
Informational alert findings are mostly to inform you about the target's ingredients and infrastructure. They help you to understand the application's technology stack and dependencies.
Impacts of informational alerts
- The issues highlighted in these alerts can help attackers understand the target more and therefore tailor their attack better, eliminate other possibilities, and conduct vulnerability mapping.
- For example, revealing that a website uses a certain IIS version does not seem that important at first sight. However, it means that the OS of the target web application is a Windows OS, for example. So, an attacker can eliminate attack possibilities regarding other operating systems. In addition, vendors who use IIS tend to prefer application infrastructures offered by Microsoft. An attacker could reasonably assume that the target application was developed using either ASP or .NET technologies. This can further help them eliminate other attack possibilities regarding other application infrastructure and save time.
- In the case of vulnerability mapping, if the target uses older versions of IIS that have known security issues, this can allow a target machine to be compromised by an attacker. For instance, CVE-2017-7269 was an issue in IIS 6.0 and exploited since 2016. It allows remote attackers to execute arbitrary code in the target. (Please note that in the case of an out-of-date component, and an associated vulnerability, this would be reported at a higher level than an informational alert.)
Informational alert example
This is what a report of an informational alert issue looks like in Acunetix.
Suggested action for informational alerts
Most of the time, there is no need to take any action for informational alerts. However, it is recommended that you manually review these findings and modify your web application to make it secure and avoid revealing details that give hints or information regarding the application itself.