Configuration Vulnerabilities

Vulnerability Name CVE CWE Severity
.htaccess file readable CWE-16  Medium
Adobe ColdFusion 9 administrative login bypass CVE-2013-0625  CVE-2013-0629  CVE-2013-0631  CVE-2013-0632  CWE-287  High
Adobe Experience Manager Misconfiguration CVE-2016-0957  CWE-16  High
Apache Axis2 administration console weak password CWE-200  High
Apache configured to run as proxy CWE-16  Medium
Apache Geronimo default administrative credentials CWE-16  High
Apache JServ protocol service CWE-16  Medium
Apache mod_negotiation filename bruteforcing CWE-538  Low
Apache perl-status enabled CWE-200  Medium
Apache Proxy HTTP CONNECT method enabled CWE-16  Medium
Apache Roller OGNL injection CVE-2013-4212  CWE-20  High
Apache server-info enabled CWE-200  Medium
Apache server-status enabled CWE-200  Medium
Apache Solr endpoint CWE-16  Low
Apache solr service exposed CWE-16  High
Apache stronghold-info enabled CWE-200  Low
Apache stronghold-status enabled CWE-200  Low
Apache Tomcat "allowLinking" on Case Insensitive Filesystems CWE-538  High
Apache Tomcat examples directory vulnerabilities CWE-264  Medium
Apache Tomcat insecure default administrative password CWE-284  High
Apache Tomcat version older than 6.0.35 CVE-2011-3190  CVE-2011-3375  CVE-2012-0022  CWE-264  High
Apache Tomcat version older than 6.0.36 CVE-2012-2733  CVE-2012-3439  CVE-2012-3546  CVE-2012-4431  CVE-2012-4534  CWE-20  High
Apache Tomcat version older than 7.0.21 CVE-2011-3190  CWE-264  High
Apache Tomcat version older than 7.0.23 CVE-2012-0022  CWE-189  High
Apache Tomcat version older than 7.0.28 CVE-2012-2733  CVE-2012-4534  CWE-20  High
Apache Tomcat version older than 7.0.30 CVE-2012-3439  CVE-2012-3544  CVE-2012-3546  CWE-20  High
Apache Tomcat version older than 7.0.32 CVE-2012-4431  CWE-264  High
ASP.NET: failure to require SSL for authentication cookies (AcuSensor) CWE-16  Medium
ASP.NET application-level tracing enabled (AcuSensor) CWE-16  Medium
ASP.NET application trace enabled CWE-16  Medium
ASP.NET ASPX debugging enabled (AcuSensor) CWE-16  Medium
ASP.NET cookieless authentication enabled (AcuSensor) CWE-16  Medium
ASP.NET Cookieless session state enabled (AcuSensor) CWE-16  Medium
ASP.NET cookies accessible from client-side scripts (AcuSensor) CWE-16  Medium
ASP.NET custom errors disabled (AcuSensor) CWE-16  Medium
ASP.NET debugging enabled CWE-16  Low
ASP.NET diagnostic page CWE-200  Medium
ASP.NET EnableViewStateMac turned off (AcuSensor) CWE-16  Medium
ASP.NET error message CWE-16  Medium
ASP.NET login credentials stored in plain text (AcuSensor) CWE-16  Medium
ASP.NET padding oracle vulnerability CVE-2010-3332  CWE-310  High
ASP.NET ValidateRequest globally disabled (AcuSensor) CWE-16  Medium
ASP.NET ViewStateUserKey not set (AcuSensor) CWE-16  Low
Atlassian Jira DOM-based cross-site scripting vulnerability CWE-79  High
AWStats script CWE-538  Medium
Bonjour service running CWE-16  Low
BREACH attack CVE-2013-3587  CWE-310  Medium
Broken links CWE-16  Informational
Chargen service running CWE-16  Medium
Chrome Logger information disclosure CWE-16  Medium
CodeIgniter session decoding vulnerability CWE-16  High
CodeIgniter weak encryption key CWE-200  High
ColdFusion administrator login page publicly available CWE-16  Low
ColdFusion RDS Service enabled CWE-16  Low
Content Security Policy (CSP) not implemented CWE-16  Informational
Content type is not specified CWE-16  Informational
Cookie(s) without HttpOnly flag set CWE-16  Low
Cookie(s) without Secure flag set CWE-16  Low
Core dump file CWE-200  High
CouchDB REST API publicly accessible CWE-285  High
CRIME SSL/TLS attack CVE-2012-4929  CWE-310  Medium
Cross domain data hijacking CWE-20  Medium
Daytime service running CWE-16  Informational
Debian OpenSSL predictable random number generator (SSH) CVE-2008-0166  CWE-310  High
Debian OpenSSL predictable random number generator (SSL) CVE-2008-0166  CWE-310  High
Devise weak password CWE-200  High
Directory listing CWE-538  Medium
DNS cache snooping CWE-16  Medium
DNS open recursion CWE-16  Medium
DNS zone transfer CVE-1999-0532  CWE-16  High
Docker Engine API is accessible without authentication CWE-287  High
Docker Registry API is accessible without authentication CWE-287  High
Echo service running CWE-16  Medium
Elasticsearch service accessible CWE-16  High
elmah.axd information disclosure CWE-16  Medium
Error page path disclosure CWE-200  Low
Error page web server version disclosure CWE-200  Informational
Exim Illegal IPv6 Address and SPA Authentication Buffer Overflow CVE-2005-0021  CWE-119  High
File upload CWE-16  Low
Finger service running CWE-16  Medium
Firebase database accessible without authentication CWE-200  Medium
Frontpage authors.pwd available CWE-538  Medium
Frontpage extensions enabled CWE-16  Low
FTP anonymous logins CWE-16  Low
FTP anonymous writable directories CWE-16  Medium
FTP weak password CWE-16  High
GlassFish admin console weak credentials CWE-16  High
Grails database console CWE-16  Medium
Hadoop cluster web interface CWE-16  High
Hadoop YARN ResourceManager publicly accessible CWE-16  High
Hidden form input named price was found CWE-16  Low
Hostile subdomain takeover CWE-16  High
Httpoxy vulnerability CWE-16  Medium
HTTP verb tampering CWE-285  High
HTTP verb tampering via POST CWE-285  High
IBM WebSphere administration console weak password CWE-200  High
IIS extended unicode directory traversal vulnerability CVE-2000-0884  CWE-22  High
IMAP weak password CWE-16  High
Insecure clientaccesspolicy.xml file CWE-16  Medium
Insecure crossdomain.xml file CWE-284  Medium
Insecure Flash embed parameter CWE-284  Low
Insecure response with wildcard '*' in Access-Control-Allow-Origin CWE-16  Low
Internet Explorer XSS Protection disabled on this page CWE-16  Informational
Internet Information Server returns IP address in HTTP header (Content-Location) CWE-200  Low
JAAS authentication bypass CWE-16  High
Java Debug Wire Protocol remote code execution CWE-16  High
Java Management Extensions (JMX/RMI) service detected CWE-16  Medium
JavaMelody publicly accessible CWE-200  Medium
JBoss BSHDeployer MBean CWE-16  High
JBoss HttpAdaptor JMXInvokerServlet CWE-16  High
JBoss JMX Console Unrestricted Access CWE-16  High
JBoss JMX management console CWE-16  High
JBoss ServerInfo MBean CVE-2010-0738  CWE-16  High
JBoss Server MBean CWE-16  High
JBoss Web Console JMX Invoker CWE-16  High
Jenkins weak password CWE-200  High
Jetpack 2.9.3: Critical Security Update CVE-2014-0173  CWE-287  High
JIRA Security Advisory 2013-02-21 CWE-16  High
Joomla! 3.2.1 sql injection CWE-89  High
Joomla! Core Security Bypass CVE-2017-11364  CWE-264  High
Joomla 1.5 end of life CWE-16  High
JSF ViewState client side storage CWE-16  Medium
Jupyter Notebook publicly accessible CWE-16  High
LDAP anonymous binds CWE-16  Medium
Login page password-guessing attack CWE-307  Low
Magento Cacheleak CWE-200  High
MediaWiki remote code execution CVE-2014-1610  CWE-20  High
Microsoft Frontpage configuration information CWE-200  Informational
Microsoft IIS5 NTLM and Basic authentication bypass CVE-2007-2815  CWE-264  High
Microsoft IIS WebDAV authentication bypass CVE-2009-1535  CWE-287  High
Microsoft SQL Server weak password CWE-16  High
Microsoft SQL Server weak password encryption vulnerability CVE-2000-0199  CWE-310  Medium
MovableType remote code execution CVE-2015-1592  CWE-94  High
Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28 CVE-2014-0185  CWE-16  Medium
Multiple vulnerabilities in Ioncube loader-wizard.php CWE-16  High
MySQL Community Server 5.0 to 5.0.45 multiple vulnerabilities CVE-2007-2691  CVE-2007-2692  CVE-2007-3780  CVE-2007-3781  CVE-2007-3782  CWE-264  Low
MySQL Server weak password CWE-16  High
MySQL utf8 4-byte truncation CWE-16  Medium
Nginx PHP code execution via FastCGI CWE-16  High
nginx SPDY heap buffer overflow CVE-2014-0133  CWE-122  High
Open proxy server CWE-16  Medium
Open SOCKS server CWE-16  Medium
Open X11 server CWE-16  High
OPTIONS method is enabled CWE-200  Low
Oracle applications logs publicy available CWE-200  Medium
Oracle Database Listener has no password CWE-16  High
OSGi Management Console Default Credentials CWE-521  High
Padding oracle attack CWE-209  High
PHP.exe Windows CGI for Apache may let remote users view files on the server CVE-2002-2029  CWE-16  Low
PHP allow_url_fopen enabled CWE-16  Medium
PHP allow_url_fopen enabled (AcuSensor) CWE-16  High
PHP allow_url_include enabled CWE-16  High
PHP allow_url_include enabled (AcuSensor) CWE-16  High
PHP enable_dl enabled (AcuSensor) CWE-16  Medium
PHP errors enabled CWE-16  Medium
PHP errors enabled (AcuSensor) CWE-16  Medium
PHP magic_quotes_gpc is disabled (AcuSensor) CWE-16  High
PHP open_basedir is not set CWE-16  Medium
PHP open_basedir is not set (AcuSensor) CWE-16  Medium
PHP register_globals enabled CWE-16  High
PHP register_globals enabled (AcuSensor) CWE-16  High
PHP session.use_only_cookies disabled CWE-16  Medium
PHP session.use_trans_sid enabled CWE-16  Medium
PHP session.use_trans_sid enabled (AcuSensor) CWE-16  Medium
POP3 weak password CWE-16  High
PostgreSQL weak password CWE-16  High
Proxy accepts CONNECT requests CWE-16  High
Proxy accepts CONNECT requests to itself CWE-16  Medium
Proxy accepts POST requests CWE-16  High
Proxy can be used to connect to arbitrary ports CWE-16  High
Pyramid debug mode CWE-16  Medium
Rails application running in development mode CWE-200  Medium
RC4 cipher suites detected CVE-2013-2566  CWE-310  Medium
Reachable SharePoint interface CWE-16  High
RealVNC remote authentication bypass CVE-2006-2369  CWE-287  High
Rlogin service running CWE-16  Low
Roundcube security updates 0.8.6 and 0.7.3 CVE-2013-1904  CWE-22  High
Rsh service running CWE-16  Low
Ruby on Rails database configuration file CWE-538  High
Ruby on Rails weak/known secret token CVE-2013-0156  CWE-200  High
Same site scripting CWE-16  Medium
Session Cookie scoped to parent domain CWE-16  Low
SharePoint exposed web services CWE-200  Medium
SharePoint user enumeration CWE-200  High
SMB Administrator account without password CWE-16  High
SMB list shares CWE-16  Low
SMB null session CWE-16  Low
SMTP EXPN/VRFY verbs enabled CWE-16  Medium
SMTP open mail relay CWE-16  Medium
SNMP information disclosure CWE-16  Medium
Socks weak password CWE-16  High
Solaris in.fingerd information disclosure vulnerability CVE-2001-1503  CWE-16  High
Spring Boot Actuator CWE-16  Medium
Spring Boot Actuator v2 CWE-16  Medium
SSH weak password CWE-16  High
SSL 2.0 deprecated protocol CWE-16  High
SSL certificate common name invalid CWE-295  Medium
SSL certificate invalid date CWE-298  High
SSL certificate public key less than 2048 bit CWE-310  Medium
SSL weak ciphers CWE-310  Medium
Struts 2 development mode CWE-16  High
Subresource Integrity (SRI) not implemented CWE-16  Informational
Sybase server weak password CWE-307  High
Symfony web debug toolbar CWE-16  Medium
Telnet service running CWE-16  Low
Telnet weak password CWE-307  High
The DROWN attack (SSLv2 supported) CVE-2016-0800  CWE-310  High
The FREAK attack (export cipher suites supported) CVE-2015-0204  CWE-310  Medium
The Heartbleed Bug CVE-2014-0160  CWE-200  High
The POODLE attack (SSLv3 supported) CVE-2014-3566  CWE-16  Medium
TLS 1.0 enabled CWE-16  Medium
TLS 1.1 enabled CWE-16  Informational
Tomcat status page CWE-200  Low
Tornado debug mode CWE-16  Medium
TRACE method is enabled CWE-16  Low
TRACK method is enabled CWE-16  Low
Trojan horse detected CWE-507  High
Unicode transformation issues CWE-176  High
Universal Plug and Play service running CWE-287  Medium
Unprotected phpMyAdmin interface CWE-16  High
UnrealIRCd backdoor CVE-2010-2075  CWE-20  High
View state MAC disabled CWE-16  Medium
VNC does not require authentication CWE-287  High
Vulnerable project dependencies CWE-16  High
W3 total cache debug mode CWE-16  Medium
Weak password CWE-200  High
Webalizer script CWE-538  Medium
Web Application Firewall detected CWE-16  Informational
Web Cache Poisoning CWE-44  High
WebDAV directory listing CWE-538  Medium
WebDAV Directory with write permissions CWE-264  High
WebDAV enabled CWE-16  Low
WebDAV remote code execution CWE-434  High
WebLogic admin console weak credentials CWE-16  High
Webmail weak password CWE-200  High
Web server default welcome page CWE-16  Informational
Windows Terminal Services server running CWE-16  Informational
WordPress 3.8.2 security release CWE-16  High
WordPress admin accessible without HTTP authentication CWE-16  Low
WordPress default administrator account CWE-16  Low
WordPress PHP Object Injection CVE-2013-4338  CWE-94  High
WordPress readme.html file CWE-16  Informational
WordPress user registration enabled CWE-16  Informational
Xdebug remote code execution via xdebug.remote_connect_back CWE-16  High
XDMCP service running CWE-16  Low
XML external entity injection CWE-611  High
XML external entity injection and XML injection CWE-611  High
XML external entity injection via external file CWE-611  High
XML external entity injection via File Upload CWE-611  High
Yii2 debug toolkit CWE-200  Medium
Yii2 Gii extension CWE-16  Medium
You are using an old version of Typo3 CWE-16  Medium
Your SSL certificate is about to expire CWE-298  Low