Vulnerability Name
Classifications
Severity
Blind Cross-site Scripting
PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
High
Cross-site Scripting
PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
High
Cross-site Scripting via File Upload
PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
High
Cross-site Scripting via Remote File Inclusion
PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
High
Stored Cross-site Scripting
PCI v3.2-6.5.7, CAPEC-19, CWE-79, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
High
Active Mixed Content over HTTPS
CWE-319, ISO27001-A.14.1.3, OWASP 2013-A6, OWASP 2017-A3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Medium
Base Tag Hijacking
PCI v3.2-6.5.7, CAPEC-19, CWE-20, HIPAA-164.308(a), ISO27001-A.14.2.5, WASC-8, OWASP 2013-A3, OWASP 2017-A7, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Medium
Unicode Transformation (Best-Fit Mapping)
CWE-20, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Medium
Insecure Reflected Content
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A1
Low
Misconfigured Access-Control-Allow-Origin Header
PCI v3.2-6.5.8, CWE-16, ISO27001-A.14.1.2, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Low
Passive Mixed Content over HTTPS
CWE-319, ISO27001-A.14.1.3, OWASP 2013-A6, OWASP 2017-A3
Low
Content Security Policy (CSP) Not Implemented
CWE-16, ISO27001-A.14.2.5, WASC-15
Best Practice
An Unsafe Content Security Policy (CSP) Directive in Use
CWE-16, ISO27001-A.14.2.5, WASC-15
Information
Content Security Policy (CSP) Contains Out of Scope report-uri Domain
ISO27001-A.14.2.5, OWASP 2013-A6, OWASP 2017-A3
Information
Content Security Policy (CSP) Keywords Not Used Within Single Quotes
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Content Security Policy (CSP) Nonce Without Matching Script Block
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Content Security Policy (CSP) report-uri Uses HTTP
ISO27001-A.14.2.5, OWASP 2013-A6, OWASP 2017-A3
Information
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
data: Used in a Content Security Policy (CSP) Directive
ISO27001-A.14.2.5
Information
default-src Used in Content Security Policy (CSP)
ISO27001-A.14.2.5
Information
Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
CWE-16, ISO27001-A.14.2.5, WASC-15
Information
Incorrect Content Security Policy (CSP) Implementation
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Insecure Protocol Detected in Content Security Policy (CSP)
CWE-319, ISO27001-A.14.2.5
Information
Invalid Content Security Policy (CSP) Directive Identified in meta Elements
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Missing frame-ancestors in CSP Declaration
CWE-16, ISO27001-A.14.2.5, WASC-15
Information
Missing object-src in CSP Declaration
CWE-16, ISO27001-A.14.2.5, WASC-15
Information
Multiple Content Security Policy (CSP) Implementation Detected
CWE-16, ISO27001-A.14.2.5, WASC-15
Information
No Script Block Detected with the Hash Value Declared in Content Security Policy (CSP)
ISO27001-A.14.2.5, OWASP 2013-A5, OWASP 2017-A6
Information
Nonce Usage Detected in Content Security Policy (CSP) Directive
ISO27001-A.14.2.5
Information
Scheme URI Detected in Content Security Policy (CSP) Directive
ISO27001-A.14.2.5
Information
Static Nonce Identified in Content Security Policy (CSP)
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Unsupported Hash Detected in Content Security Policy (CSP)
CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Information
Weak frame-ancestors Detected in Content Security Policy (CSP) Declaration
CWE-330, ISO27001-A.14.2.5, WASC-16, OWASP 2013-A5, OWASP 2017-A6
Information
Weak Nonce Detected in Content Security Policy (CSP) Declaration
CWE-330, ISO27001-A.14.2.5, WASC-16, OWASP 2013-A5, OWASP 2017-A6
Information
Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive
ISO27001-A.14.2.5
Information
Wildcard Detected in Port Portion of Content Security Policy (CSP) Directive
ISO27001-A.14.2.5
Information
Wildcard Detected in Scheme Portion of Content Security Policy (CSP) Directive
ISO27001-A.14.2.5
Information