Severity High Medium Low Informational Vulnerability Categories Abuse Of Functionality Acumonitor Arbitrary File Creation Authentication Bypass Bruteforce Possible Buffer Overflow CSRF CSTI Code Execution Configuration Crlf Injection Deepscan Default Credentials Denial Of Service Dev Files Directory Listing Directory Traversal Eli Injection Error Handling File Inclusion Http Parameter Pollution Http Response Splitting Information Disclosure Insecure Admin Access Insecure Deserialization Internal Ip Disclosure Known Vulnerabilities Ldap Injection Malware Missing Update Privilege Escalation SSRF Sensitive Data Not Over Ssl Server Side Template Injection Session Fixation Source Code Disclosure Sql Injection Test Files Unauthenticated File Upload Url Redirection Weak Credentials Weak Crypto XFS XSS XXE Xpath Injection Vulnerability Name CVE CWE CWE Severity .htaccess file readable CWE-443 CWE-443 Medium Access-Control-Allow-Origin header with wildcard (*) value CWE-284 CWE-284 Informational Adobe ColdFusion 9 administrative login bypass CVE-2013-0625 CVE-2013-0629 CVE-2013-0631 CVE-2013-0632 CWE-287 CWE-287 High Adobe Experience Manager Information Disclosure via Apache Sling v2.3.6 vulnerability CVE-2016-0956 CWE-668 CWE-668 Medium Adobe Experience Manager Misconfiguration CVE-2016-0957 CWE-693 CWE-693 High Apache Axis2 administration console weak password CWE-200 CWE-200 High Apache Cassandra Unauthorized Access Vulnerability CWE-200 CWE-200 Medium Apache configured to run as proxy CWE-441 CWE-441 Medium Apache Geronimo default administrative credentials CWE-693 CWE-693 High Apache JServ protocol service CWE-200 CWE-200 Medium Apache Kafka Unauthorized Access Vulnerability CWE-200 CWE-200 Medium Apache mod_negotiation filename bruteforcing CWE-538 CWE-538 Low Apache perl-status enabled CWE-200 CWE-200 Medium Apache Proxy HTTP CONNECT method enabled CWE-441 CWE-441 Medium Apache REST RCE CVE-2018-11770 CWE-94 CWE-94 High Apache Roller OGNL injection CVE-2013-4212 CWE-20 CWE-20 High Apache server-info enabled CWE-200 CWE-200 Medium Apache server-status enabled CWE-200 CWE-200 Medium Apache Solr endpoint CWE-200 CWE-200 Low Apache solr service exposed CWE-200 CWE-200 High Apache Spark Master Unauthorized Access Vulnerability CWE-200 CWE-200 High Apache Spark Web UI Unauthorized Access Vulnerability CWE-200 CWE-200 Medium Apache stronghold-info enabled CWE-200 CWE-200 Low Apache stronghold-status enabled CWE-200 CWE-200 Low Apache Tapestry weak secret key CWE-693 CWE-693 High Apache Tomcat examples directory vulnerabilities CWE-264 CWE-264 Medium Apache Tomcat insecure default administrative password CWE-284 CWE-284 High Apache Tomcat version older than 6.0.35 CVE-2011-3190 CVE-2011-3375 CVE-2012-0022 CWE-264 CWE-264 High Apache Tomcat version older than 6.0.36 CVE-2012-2733 CVE-2012-3439 CVE-2012-3546 CVE-2012-4431 CVE-2012-4534 CWE-20 CWE-20 High Apache Tomcat version older than 7.0.21 CVE-2011-3190 CWE-264 CWE-264 High Apache Tomcat version older than 7.0.23 CVE-2012-0022 CWE-189 CWE-189 High Apache Tomcat version older than 7.0.28 CVE-2012-2733 CVE-2012-4534 CWE-20 CWE-20 High Apache Tomcat version older than 7.0.30 CVE-2012-3439 CVE-2012-3544 CVE-2012-3546 CWE-20 CWE-20 High Apache Tomcat version older than 7.0.32 CVE-2012-4431 CWE-264 CWE-264 Medium Apache ZooKeeper Unauthorized Access Vulnerability CWE-200 CWE-200 Medium ASP.NET application-level tracing enabled CWE-215 CWE-215 Medium ASP.NET application trace enabled CWE-215 CWE-215 Medium ASP.NET ASPX debugging enabled CWE-11 CWE-11 Medium ASP.NET connection strings stored in plaintext CWE-16 CWE-16 High ASP.NET cookieless authentication enabled CWE-598 CWE-598 Medium ASP.NET Cookieless session state enabled CWE-598 CWE-598 Medium ASP.NET cookies accessible from client-side scripts CWE-1004 CWE-1004 Medium ASP.NET custom errors disabled CWE-12 CWE-12 Medium ASP.NET debugging enabled CWE-11 CWE-11 Low ASP.NET Deny missing from authorization rule on location CWE-16 CWE-16 Medium ASP.NET diagnostic page CWE-200 CWE-200 Medium ASP.NET EnableViewStateMac turned off CWE-642 CWE-642 Medium ASP.NET error message CWE-12 CWE-12 Medium ASP.NET event validation disabled CWE-16 CWE-16 Medium ASP.NET expired session IDs are not regenerated CWE-16 CWE-16 Medium ASP.NET failure to require SSL for authentication cookies CWE-319 CWE-319 Medium ASP.NET forms authentication using inadequate protection CWE-16 CWE-16 Medium ASP.NET header checking is disabled in web.config CWE-16 CWE-16 Medium ASP.NET login credentials stored in plain text CWE-256 CWE-256 Medium ASP.NET potential HTTP Verb Tampering CWE-16 CWE-16 Medium ASP.NET ValidateRequest globally disabled CWE-707 CWE-707 Medium ASP.NET viewstate encryption disabled CWE-16 CWE-16 Medium ASP.NET ViewStateUserKey not set CWE-642 CWE-642 Low ASP.NET WCF metadata enabled for behavior CWE-16 CWE-16 Medium ASP.NET WCF replay attacks are not detected CWE-16 CWE-16 Medium ASP.NET WCF service include exception details CWE-16 CWE-16 Medium AWStats script CWE-538 CWE-538 Medium Axis development mode enabled in WEB-INF/server-config.wsdd CWE-16 CWE-16 Medium Axis system configuration listing enabled in WEB-INF/server-config.wsdd CWE-16 CWE-16 Medium BottlePy weak secret key CWE-693 CWE-693 High Broken Link Hijacking CWE-610 CWE-610 Low Chrome Logger information disclosure CWE-200 CWE-200 Medium CodeIgniter development mode enabled CWE-16 CWE-16 Medium CodeIgniter session decoding vulnerability CWE-327 CWE-327 High CodeIgniter weak encryption key CWE-200 CWE-200 High ColdFusion administrator login page publicly available CWE-200 CWE-200 Low ColdFusion RDS Service enabled CWE-200 CWE-200 Low Content Security Policy (CSP) not implemented CWE-1021 CWE-1021 Informational Content Security Policy Misconfiguration CWE-16 CWE-16 Informational Content type is not specified CWE-16 CWE-16 Informational Cookie signed with weak secret key CWE-693 CWE-693 Medium Cookies with missing, inconsistent or contradictory properties CWE-284 CWE-284 Low Cookies without HttpOnly flag set CWE-1004 CWE-1004 Low Cookies without Secure flag set CWE-614 CWE-614 Low Cookies with Secure flag set over insecure connection CWE-16 CWE-16 Informational Core dump file CWE-200 CWE-200 High CouchDB REST API publicly accessible CWE-285 CWE-285 High CRIME SSL/TLS attack CVE-2012-4929 CWE-310 CWE-310 Medium Custom error pages are not configured CWE-16 CWE-16 Medium Devise weak password CWE-200 CWE-200 High Directory listings CWE-538 CWE-538 Medium Django Debug Toolbar CWE-200 CWE-200 Medium Django weak secret key CWE-693 CWE-693 Medium Docker Engine API is accessible without authentication CWE-287 CWE-287 High Docker Registry API is accessible without authentication CWE-287 CWE-287 High Drupal configuration file weak file permissions CWE-16 CWE-16 Medium Drupal trusted_host_patterns setting not configured CWE-16 CWE-16 Medium Elasticsearch service accessible CWE-200 CWE-200 High elmah.axd information disclosure CWE-209 CWE-209 Medium Error page path disclosure CWE-200 CWE-200 Low Error page web server version disclosure CWE-200 CWE-200 Informational Express cookie-session weak secret key CWE-693 CWE-693 Medium Express express-session weak secret key CWE-693 CWE-693 Informational Express running in development mode CWE-200 CWE-200 Medium File uploads CWE-16 CWE-16 Informational Firebase database accessible without authentication CWE-200 CWE-200 Medium Flask weak secret key CWE-693 CWE-693 Medium Frontpage authors.pwd available CWE-538 CWE-538 Medium Frontpage extensions enabled CWE-16 CWE-16 Medium GlassFish admin console weak credentials CWE-693 CWE-693 High Grails database console CWE-200 CWE-200 Medium GraphiQL Explorer/Playground Enabled CWE-200 CWE-200 Medium GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability CWE-400 CWE-400 Medium GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability CWE-770 CWE-770 Medium GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability CWE-400 CWE-400 Medium GraphQL Field Suggestions Enabled CWE-200 CWE-200 Medium GraphQL Introspection Query Enabled CWE-200 CWE-200 Medium GraphQL Non-JSON Mutations over GET: Potential CSRF Vulnerability CWE-352 CWE-352 Medium GraphQL Non-JSON Queries over GET: Potential CSRF Vulnerability CWE-352 CWE-352 Medium GraphQL Unhandled Error Leakage CWE-209 CWE-209 Medium H2 console publicly accessible CWE-287 CWE-287 Low Hadoop cluster web interface CWE-200 CWE-200 Medium Hadoop YARN ResourceManager publicly accessible CWE-200 CWE-200 High Hostile subdomain takeover CWE-16 CWE-16 Medium HTTP header reflected in cached response CWE-16 CWE-16 Medium Httpoxy vulnerability CWE-16 CWE-16 Medium HTTP verb tampering CWE-285 CWE-285 High HTTP verb tampering via POST CWE-285 CWE-285 High IBM WebSphere administration console weak password CWE-200 CWE-200 High IIS extended unicode directory traversal vulnerability CVE-2000-0884 CWE-22 CWE-22 High Internet Information Server returns IP address in HTTP header (Content-Location) CWE-200 CWE-200 Low JAAS authentication bypass CWE-693 CWE-693 High Java Debug Wire Protocol remote code execution CWE-94 CWE-94 High Java Management Extensions (JMX/RMI) service detected CWE-200 CWE-200 Medium JavaMelody publicly accessible CWE-200 CWE-200 Medium JBoss BSHDeployer MBean CWE-200 CWE-200 High JBoss HttpAdaptor JMXInvokerServlet CWE-94 CWE-94 High JBoss JMX Console Unrestricted Access CWE-200 CWE-200 High JBoss JMX management console CWE-200 CWE-200 High JBoss ServerInfo MBean CVE-2010-0738 CWE-200 CWE-200 High JBoss Server MBean CWE-200 CWE-200 High JBoss Web Console JMX Invoker CWE-200 CWE-200 High Jenkins weak password CWE-200 CWE-200 High Jetpack 2.9.3: Critical Security Update CVE-2014-0173 CWE-287 CWE-287 High JIRA Security Advisory 2013-02-21 CWE-22 CWE-22 High Joomla! 3.2.1 sql injection CWE-89 CWE-89 High Joomla! Core Security Bypass CVE-2017-11364 CWE-264 CWE-264 High Joomla 1.5 end of life CWE-1104 CWE-1104 High JSF ViewState client side storage CWE-693 CWE-693 Medium Jupyter Notebook publicly accessible CWE-78 CWE-78 High JWT none algorithm CWE-345 CWE-345 Medium JWT weak secret key CWE-345 CWE-345 Medium Laravel debug mode enabled (AcuSensor) CWE-16 CWE-16 Medium Magento Cacheleak CWE-200 CWE-200 High MediaWiki remote code execution CVE-2014-1610 CWE-20 CWE-20 High Memcached Unauthorized Access Vulnerability CWE-200 CWE-200 Medium Microsoft Frontpage configuration information CWE-200 CWE-200 Informational Microsoft IIS5 NTLM and Basic authentication bypass CVE-2007-2815 CWE-264 CWE-264 High Microsoft IIS WebDAV authentication bypass CVE-2009-1535 CWE-287 CWE-287 High Mojolicious weak secret key CWE-693 CWE-693 Medium MovableType remote code execution CVE-2015-1592 CWE-94 CWE-94 High Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28 CVE-2014-0185 CWE-1104 CWE-1104 Medium Multiple vulnerabilities in Ioncube loader-wizard.php CWE-552 CWE-552 High MySQL utf8 4-byte truncation CWE-176 CWE-176 Medium Nginx PHP code execution via FastCGI CWE-94 CWE-94 High nginx SPDY heap buffer overflow CVE-2014-0133 CWE-122 CWE-122 High Node.js Web Application does not handle uncaughtException CWE-248 CWE-248 Medium Node.js Web Application does not handle unhandledRejection CWE-248 CWE-248 Medium OData feed accessible anonymously CWE-200 CWE-200 Low Oracle applications logs publicy available CWE-200 CWE-200 Medium Oracle PeopleSoft SSO weak secret key CWE-693 CWE-693 High OSGi Management Console Default Credentials CWE-521 CWE-521 High Overly long session timeout in servlet configuration CWE-16 CWE-16 Medium Padding oracle attack CWE-209 CWE-209 High Permissions-Policy header not implemented CWE-1021 CWE-1021 Informational PHP allow_url_fopen enabled CWE-829 CWE-829 Medium PHP allow_url_fopen enabled CWE-829 CWE-829 High PHP allow_url_include enabled CWE-829 CWE-829 Medium PHP allow_url_include enabled CWE-829 CWE-829 High PHP enable_dl enabled CWE-470 CWE-470 Medium PHP errors enabled CWE-209 CWE-209 Medium PHP errors enabled CWE-209 CWE-209 Medium PHP magic_quotes_gpc is disabled CWE-150 CWE-150 High PHP open_basedir is not set CWE-664 CWE-664 Medium PHP open_basedir is not set CWE-664 CWE-664 Medium PHP register_globals enabled CWE-1108 CWE-1108 High PHP register_globals enabled CWE-1108 CWE-1108 Medium PHP session.use_only_cookies disabled CWE-598 CWE-598 Medium PHP session.use_trans_sid enabled CWE-598 CWE-598 Medium PHP session.use_trans_sid enabled CWE-598 CWE-598 Medium Pyramid debug mode CWE-489 CWE-489 Medium Rails application running in development mode CWE-200 CWE-200 Medium Reachable SharePoint interface CWE-200 CWE-200 High Redis Unauthorized Access Vulnerability CWE-200 CWE-200 Medium RethinkDB administrative interface publicly exposed CWE-200 CWE-200 High Reverse proxy detected CWE-16 CWE-16 Informational Roundcube security updates 0.8.6 and 0.7.3 CVE-2013-1904 CWE-22 CWE-22 High Ruby framework weak secret key CWE-693 CWE-693 High Ruby on Rails database configuration file CWE-538 CWE-538 High Ruby on Rails weak/known secret token CVE-2013-0156 CWE-200 CWE-200 High Same site scripting CWE-16 CWE-16 Medium SAP ICF /sap/public/info sensitive information disclosure CWE-200 CWE-200 Medium SAP Knowledge Management and Collaboration (KMC) incorrect permissions CWE-285 CWE-285 High SAP Management Console get user list CWE-200 CWE-200 High SAP Management Console list logfiles CWE-200 CWE-200 High SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability CWE-200 CWE-200 Medium SAP NetWeaver server info information disclosure CWE-200 CWE-200 Medium SAP NetWeaver server info information disclosure BCB CWE-200 CWE-200 Medium SAP weak/predictable user credentials CWE-200 CWE-200 High Session cookies scoped to parent domain CWE-284 CWE-284 Low SharePoint exposed web services CWE-200 CWE-200 Medium SharePoint user enumeration CWE-200 CWE-200 High Spring Boot Actuator CWE-489 CWE-489 Medium Spring Boot Actuator v2 CWE-489 CWE-489 Medium Spring Boot Misconfiguration: Actuator endpoint security disabled CWE-16 CWE-16 Medium Spring Boot Misconfiguration: Admin MBean enabled CWE-16 CWE-16 Medium Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed CWE-16 CWE-16 Medium Spring Boot Misconfiguration: Datasource credentials stored in the properties file CWE-16 CWE-16 Medium Spring Boot Misconfiguration: Developer tools enabled on production CWE-16 CWE-16 Medium Spring Boot Misconfiguration: H2 console enabled CWE-16 CWE-16 Medium Spring Boot Misconfiguration: MongoDB credentials stored in the properties file CWE-16 CWE-16 Medium Spring Boot Misconfiguration: Overly long session timeout CWE-16 CWE-16 Medium Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed CWE-16 CWE-16 Low Spring Boot Misconfiguration: Unsafe value for session tracking CWE-16 CWE-16 Medium Spring Misconfiguration: HTML Escaping disabled CWE-16 CWE-16 Medium SSL 2.0 deprecated protocol CWE-326 CWE-326 High SSL 3.0 deprecated protocol CWE-326 CWE-326 High Struts 2 Config Browser plugin enabled CWE-16 CWE-16 Medium Struts 2 development mode CWE-489 CWE-489 High Struts 2 development mode enabled CWE-16 CWE-16 High Subresource Integrity (SRI) not implemented CWE-830 CWE-830 Informational Symfony debug mode enabled (AcuSensor) CWE-16 CWE-16 Medium Symfony ESI (Edge-Side Includes) enabled CWE-16 CWE-16 Low Symfony running in dev mode CWE-16 CWE-16 Medium Symfony web debug toolbar CWE-489 CWE-489 Medium The DROWN attack (SSLv2 supported) CVE-2016-0800 CWE-310 CWE-310 High The FREAK attack CVE-2015-0204 CWE-310 CWE-310 Medium The Heartbleed Bug CVE-2014-0160 CWE-200 CWE-200 High The POODLE attack (SSLv3 with CBC cipher suites) CVE-2014-3566 CWE-326 CWE-326 Medium TLS/SSL (EC)DHE Key Reuse CWE-310 CWE-310 Informational TLS/SSL certificate about to expire CWE-298 CWE-298 Low TLS/SSL certificate invalid date CWE-298 CWE-298 High TLS/SSL certificate key size too small CWE-310 CWE-310 Medium TLS/SSL LOGJAM attack CVE-2015-4000 CWE-310 CWE-310 Medium TLS/SSL Sweet32 attack CVE-2016-2183 CVE-2016-6329 CWE-310 CWE-310 Medium TLS/SSL Weak Cipher Suites CWE-310 CWE-310 Medium TLS 1.0 enabled CWE-326 CWE-326 High TLS 1.1 enabled CWE-326 CWE-326 Medium Tomcat status page CWE-200 CWE-200 Low Tornado debug mode CWE-489 CWE-489 Medium Tornado weak secret key CWE-693 CWE-693 Medium TRACE method is enabled CWE-489 CWE-489 Low TRACK method is enabled CWE-489 CWE-489 Low Unicode transformation issues CWE-176 CWE-176 Medium Unprotected phpMyAdmin interface CWE-205 CWE-205 High Unsafe value for session tracking in in servlet configuration CWE-16 CWE-16 Medium Verb tampering via misconfigured security constraint CWE-16 CWE-16 Medium Vulnerable project dependencies CWE-937 CWE-937 High W3 total cache debug mode CWE-489 CWE-489 Medium Weak password CWE-200 CWE-200 High Weak WordPress security key CWE-16 CWE-16 High Web2py weak secret key CWE-693 CWE-693 Medium Webalizer script CWE-538 CWE-538 Medium Web application default/weak credentials CWE-200 CWE-200 High Web Application Firewall detected CWE-16 CWE-16 Informational Web Cache Deception High Web Cache Poisoning CWE-44 CWE-44 High Web Cache Poisoning via Fat GET Request CWE-44 CWE-44 High Web Cache Poisoning via Host Header CWE-44 CWE-44 High Web Cache Poisoning via JSONP and UTM_ parameter CWE-44 CWE-44 High Web Cache Poisoning via POST Request CWE-44 CWE-44 High Web Cache Poisoning via semicolon query separator CWE-44 CWE-44 High WebDAV directory listing CWE-538 CWE-538 Medium WebDAV Directory with write permissions CWE-264 CWE-264 High WebDAV enabled CWE-16 CWE-16 Low WebDAV remote code execution CWE-434 CWE-434 High WebLogic admin console weak credentials CWE-693 CWE-693 High Webmail weak password CWE-200 CWE-200 High Web server default welcome page CWE-200 CWE-200 Informational WordPress admin accessible without HTTP authentication CWE-16 CWE-16 Low WordPress allows editing theme/plugin files CWE-16 CWE-16 Medium WordPress configuration file weak file permissions CWE-16 CWE-16 Medium WordPress default administrator account CWE-16 CWE-16 Low WordPress readme.html file CWE-200 CWE-200 Informational WordPress user registration enabled CWE-16 CWE-16 Informational Xdebug remote code execution via xdebug.remote_connect_back CWE-200 CWE-200 High XML entity injection CWE-611 CWE-611 High XML external entity injection CWE-611 CWE-611 High XML external entity injection (variant) CWE-611 CWE-611 High XML external entity injection and XML injection CWE-611 CWE-611 High XML external entity injection via external file CWE-611 CWE-611 High XML external entity injection via File Upload CWE-611 CWE-611 High Yii2 debug toolkit CWE-200 CWE-200 Medium Yii2 Gii extension CWE-200 CWE-200 Medium Yii2 weak secret key CWE-693 CWE-693 Medium Yii debug mode enabled CWE-16 CWE-16 Medium Yii running in dev mode CWE-16 CWE-16 Medium
