Web Application Vulnerabilities Index
This page lists all vulnerabilities that can be detected by Invicti.
| Vulnerability Name | Classifications | Severity |
|---|---|---|
| Active Mixed Content over HTTPS | CWE-319; ISO27001-A.14.1.3; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Anonymous Ciphers Supported | PCI v3.2-6.5.4; CAPEC-117; CWE-311; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Apache Server-Info Detected | CAPEC-347; CWE-16; ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Apache Server-Status Detected | CAPEC-347; CWE-16; ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| ASP.NET Cookieless Authentication Is Enabled | CWE-16; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| ASP.NET Cookieless Session State Is Enabled | CWE-16; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| ASP.NET CustomErrors Is Disabled | CWE-16; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| ASP.NET Login Credentials Stored In Plain Text | CWE-312; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| ASP.NET ValidateRequest Is Globally Disabled | CWE-16; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| ASP.NET: Failure To Require SSL For Authentication Cookies | CWE-16; OWASP 2017-A6 | Medium |
| Base Tag Hijacking | PCI v3.2-6.5.7; CAPEC-19; CWE-20; HIPAA-164.308(a); ISO27001-A.14.2.5; WASC-8; OWASP 2013-A3; OWASP 2017-A7 | Medium |
| BREACH Attack Detected | CWE-310; OWASP 2013-A9; OWASP 2017-A9 | Medium |
| Critical Form Send to HTTP | PCI v3.2-6.5.4; CAPEC-65; CWE-319; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Critical Form Served over HTTP | PCI v3.2-6.5.4; CAPEC-65; CWE-319; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| CVS Detected | CAPEC-118; CWE-527; ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Expired SSL Certificate | CWE-295; OWASP 2017-A3 | Medium |
| Frame Injection | PCI v3.2-6.5.1; CWE-601; HIPAA-164.308(a); ISO27001-A.14.2.5; WASC-38; OWASP 2013-A1; OWASP 2017-A1 | Medium |
| GIT Detected | CAPEC-118; CWE-527; ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| HTTP Header Injection | PCI v3.2-6.5.1; CAPEC-105; CWE-93; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-24; OWASP 2013-A1; OWASP 2017-A1 | Medium |
| HTTP Header Injection (IAST) | PCI v3.2-6.5.1; CAPEC-105; CWE-93; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-24; OWASP 2013-A1; OWASP 2017-A1 | Medium |
| HTTP Strict Transport Security (HSTS) Errors and Warnings | CWE-16; ISO27001-A.14.1.2; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| HTTP Strict Transport Security (HSTS) Policy Not Enabled | CAPEC-217; CWE-523; ISO27001-A.14.1.2; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Insecure HTTP Usage | ISO27001-A.14.1.3; WASC-4; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Insecure Transportation Security Protocol Supported (SSLv3) | PCI v3.2-6.5.4; CAPEC-217; CWE-326; HIPAA-164.306; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Invalid SSL Certificate | PCI v3.2-6.5.4; CAPEC-459; CWE-295; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Microsoft Access Database File Detected | PCI v3.2-6.5.8; CWE-284; ISO27001-A.18.1.3; WASC-2; OWASP 2013-A7; OWASP 2017-A3 | Medium |
| Open Policy Crossdomain.xml Detected | CWE-16; ISO27001-A.14.2.5; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Open Redirection | CWE-601; ISO27001-A.14.2.5; WASC-38; OWASP 2013-A10 | Medium |
| Open Redirection (DOM based) | CWE-601; ISO27001-A.14.2.5; WASC-38; OWASP 2013-A10 | Medium |
| Open Silverlight Client Access Policy | CWE-16; ISO27001-A.14.2.5; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Password Transmitted over Query String | PCI v3.2-6.5.4; CWE-598; ISO27001-A.14.2.5; WASC-13; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| PHP enable_dl Is Enabled | CWE-16; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| PHP register_globals Is Enabled | CWE-473; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| PHP session.use_only_cookies Is Disabled | CWE-598; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| PHP session.use_trans_sid Is Enabled | CWE-598; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Revoked SSL Certificate | CWE-295; OWASP 2017-A3 | Medium |
| RSA Private Key Detected | CAPEC-118; CWE-200; ISO27001-A.18.1.3; WASC-13; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Server-Side Request Forgery | CWE-918; ISO27001-A.14.2.5; WASC-20; OWASP 2013-A1; OWASP 2017-A1 | Medium |
| Server-Side Request Forgery (Time Based) | CWE-918; ISO27001-A.14.2.5; WASC-20; OWASP 2013-A1; OWASP 2017-A1 | Medium |
| Source Code Disclosure (ASP.NET) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (ColdFusion) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Generic) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Java Servlet) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Java) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (JSP) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Perl) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (PHP) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Python) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Ruby) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| Source Code Disclosure (Tomcat) | CAPEC-118; CWE-540; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.4.5; WASC-13; OWASP 2013-A5; OWASP 2017-A3 | Medium |
| SQLite Database File Found | PCI v3.2-6.5.8; CWE-284; ISO27001-A.18.1.3; WASC-2; OWASP 2013-A7; OWASP 2017-A3 | Medium |
| SSL Certificate Is About To Expire | CWE-295; OWASP 2017-A3 | Medium |
| SSL Certificate Name Hostname Mismatch | CWE-295; OWASP 2017-A3 | Medium |
| SSL Untrusted Root Certificate | CWE-295; OWASP 2017-A3 | Medium |
| SSL/TLS Not Implemented | PCI v3.2-6.5.4; CAPEC-217; CWE-311; HIPAA-164.306; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| Stack Trace Disclosure (ColdFusion) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Stack Trace Disclosure (Django) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Stack Trace Disclosure (Java) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Stack Trace Disclosure (Laravel) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Stack Trace Disclosure (Python) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Stack Trace Disclosure (RoR) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Stack Trace Disclosure (Ruby-Sinatra Framework) | PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Sublime SFTP Config File Detected | CWE-16; ISO27001-A.18.1.3; WASC-15; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| Unicode Transformation (Best-Fit Mapping) | CWE-20 | Medium |
| ViewState MAC Disabled | CWE-16; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-15; OWASP 2017-A6 | Medium |
| Weak Ciphers Enabled | PCI v3.2-6.5.4; CAPEC-217; CWE-327; ISO27001-A.14.1.3; WASC-4; OWASP 2013-A6; OWASP 2017-A3 | Medium |
| WordPress Setup Configuration File | PCI v3.2-6.5.8; CAPEC-212; CWE-665; HIPAA-164.312(a)(1); ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 | Medium |
| ZSH History File Detected | PCI v3.2-6.5.8; CWE-284; ISO27001-A.18.1.3; WASC-2; OWASP 2013-A7; OWASP 2017-A3 | Medium |
