Web Application Vulnerabilities Index
This page lists all vulnerabilities that can be detected by Invicti.
| Vulnerability Name | Classifications | Severity |
|---|---|---|
| Arbitrary File Creation Detected | CWE-20; OWASP 2017-A5 | High |
| Arbitrary File Deletion Detected | CWE-20; OWASP 2017-A5 | High |
| ASP.NET Tracing Is Enabled | CWE-11; OWASP 2013-A5; OWASP 2017-A6 | High |
| Backup Source Code Detected | PCI v3.2-6.5.8; CAPEC-87; CWE-530; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-34; OWASP 2013-A7; OWASP 2017-A5 | High |
| Basic Authorization over HTTP | PCI v3.2-6.5.4; CAPEC-65; CWE-319; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | High |
| Blind Cross-site Scripting | PCI v3.2-6.5.7; CAPEC-19; CWE-79; HIPAA-164.308(a); ISO27001-A.14.2.5; WASC-8; OWASP 2013-A3; OWASP 2017-A7 | High |
| Certificate is Signed Using a Weak Signature Algorithm | PCI v3.2-6.5.4; CAPEC-459; ISO27001-A.10; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | High |
| Cross-site Scripting | PCI v3.2-6.5.7; CAPEC-19; CWE-79; HIPAA-164.308(a); ISO27001-A.14.2.5; WASC-8; OWASP 2013-A3; OWASP 2017-A7 | High |
| Cross-site Scripting (DOM based) | PCI v3.2-6.5.7; CAPEC-19; CWE-79; HIPAA-164.308(a); ISO27001-A.14.2.5; WASC-8; OWASP 2013-A3; OWASP 2017-A7 | High |
| Cross-site Scripting via Remote File Inclusion | PCI v3.2-6.5.7; CAPEC-19; CWE-79; HIPAA-164.308(a); ISO27001-A.14.2.5; WASC-8; OWASP 2013-A3; OWASP 2017-A7 | High |
| Database User Has Admin Privileges | PCI v3.2-6.5.6; CWE-267; ISO27001-A.9.2.2; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | High |
| Elmah.axd / Errorlog.axd Detected | PCI v3.2-6.5.6; CAPEC-347; CWE-16; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | High |
| Expression Language Injection | PCI v3.2-6.5.1; CWE-20; HIPAA-164.308(a); ISO27001-A.14.2.5; OWASP 2013-A1; OWASP 2017-A1 | High |
| F5 Big-IP Local File Inclusion (CVE-2020-5902) | PCI v3.2-6.5.8; CAPEC-252; CWE-22; HIPAA-164.306(a); ISO27001-A.14.2.5; WASC-33; OWASP 2013-A4; OWASP 2017-A5 | High |
| Insecure Transportation Security Protocol Supported (SSLv2) | PCI v3.2-6.5.4; CAPEC-217; CWE-326; HIPAA-164.306; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | High |
| JWT Forgery via Chaining Jku Parameter with Open Redirect | CWE-347; OWASP 2017-A2 | High |
| JWT Forgery via Path Traversal | CWE-22; OWASP 2017-A1 | High |
| JWT Forgery via SQL Injection | CWE-89; OWASP 2017-A1 | High |
| JWT Forgery via unvalidated jku parameter | CWE-22; OWASP 2017-A1 | High |
| JWT Signature Bypass via None Algorithm | CWE-347; OWASP 2017-A2 | High |
| JWT Signature is not Verified | CWE-347; OWASP 2017-A2 | High |
| Local File Inclusion | PCI v3.2-6.5.8; CAPEC-252; CWE-22; HIPAA-164.306(a); ISO27001-A.14.2.5; WASC-33; OWASP 2013-A4; OWASP 2017-A5 | High |
| Local File Inclusion (IAST) | PCI v3.2-6.5.8; CAPEC-252; CWE-22; HIPAA-164.306(a); ISO27001-A.14.2.5; WASC-33; OWASP 2013-A4; OWASP 2017-A5 | High |
| Oracle WebLogic Authentication Bypass (CVE-2020-14883) | CWE-288; OWASP 2013-A2; OWASP 2017-A2 | High |
| Out of Band XML External Entity Injection | PCI v3.2-6.5.1; CAPEC-376; CWE-611; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-43; OWASP 2013-A1; OWASP 2017-A4 | High |
| Out-of-date Version (Microsoft SQL Server) | PCI v3.2-6.2; CAPEC-310; CWE-1035, 937; HIPAA-164.308(a)(1)(i); ISO27001-A.14.1.2; OWASP 2013-A9; OWASP 2017-A9 | High |
| Out-of-date Version (MySQL) | PCI v3.2-6.2; CAPEC-310; CWE-1035, 937; HIPAA-164.308(a)(1)(i); ISO27001-A.14.1.2; OWASP 2013-A9; OWASP 2017-A9 | High |
| Out-of-date Version (Oracle) | PCI v3.2-6.2; CAPEC-310; CWE-1035, 937; HIPAA-164.308(a)(1)(i); ISO27001-A.14.1.2; OWASP 2013-A9; OWASP 2017-A9 | High |
| Out-of-date Version (PostgreSQL) | PCI v3.2-6.2; CAPEC-310; CWE-1035, 937; HIPAA-164.308(a)(1)(i); ISO27001-A.14.1.2; OWASP 2013-A9; OWASP 2017-A9 | High |
| Password Transmitted over HTTP | PCI v3.2-6.5.4; CAPEC-65; CWE-319; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | High |
| ROBOT Attack Detected (Strong Oracle) | PCI v3.2-6.5.4; CAPEC-217; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | High |
| ROBOT Attack Detected (Weak Oracle) | PCI v3.2-6.5.4; CAPEC-217; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | High |
| Ruby on Rails File Content Disclosure (CVE-2019-5418) | PCI v3.2-6.5.8; CAPEC-252; CWE-98; HIPAA-164.306(a); ISO27001-A.14.2.5; WASC-33; OWASP 2013-A4; OWASP 2017-A5 | High |
| Server-Side Request Forgery (Apache Server Status) | CWE-918; ISO27001-A.14.2.5; OWASP 2013-A5; OWASP 2017-A6 | High |
| Server-Side Request Forgery (AWS) | CWE-918; ISO27001-A.14.2.5; OWASP 2017-A5 | High |
| Server-Side Request Forgery (elmah MVC) | PCI v3.2-6.5.6; CAPEC-347; CWE-918; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | High |
| Server-Side Request Forgery (elmah) | PCI v3.2-6.5.6; CAPEC-347; CWE-918; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | High |
| Server-Side Request Forgery (MySQL) | CWE-918; ISO27001-A.14.2.5; OWASP 2013-A5; OWASP 2017-A6 | High |
| Server-Side Request Forgery (SSH) | CWE-918; ISO27001-A.14.2.5; OWASP 2013-A5; OWASP 2017-A6 | High |
| Session Cookie Not Marked as Secure | PCI v3.2-6.5.10; CAPEC-102; CWE-614; ISO27001-A.14.1.2; WASC-15; OWASP 2013-A6; OWASP 2017-A3 | High |
| SVN Detected | CAPEC-118; CWE-527; ISO27001-A.9.4.1; WASC-13; OWASP 2013-A5; OWASP 2017-A6 | High |
| Trace.axd Detected | PCI v3.2-6.5.6; CAPEC-347; CWE-16; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | High |
| Unrestricted File Upload | PCI v3.2-6.5.1; CWE-434; ISO27001-A.14.2.5; OWASP 2013-A1; OWASP 2017-A1 | High |
| Weak Basic Authentication Credentials | PCI v3.2-6.5.10; CAPEC-16; CWE-521; ISO27001-A.9.4.3; WASC-15; OWASP 2013-A6; OWASP 2017-A3 | High |
| Weak Secret is Used to Sign JWT | CWE-347; OWASP 2017-A2 | High |
| WebDAV Directory Has Write Permissions | PCI v3.2-6.5.8; CWE-732; ISO27001-A.9.4.1; WASC-17; OWASP 2017-A6 | High |
| XML External Entity Injection | PCI v3.2-6.5.1; CAPEC-376; CWE-611; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-43; OWASP 2013-A1; OWASP 2017-A4 | High |
