International Standard - ISO 27001:2013: Compliance Report

Download as pdf or txt
Download as pdf or txt
You are on page 1of 22

International Standard - ISO

27001:2013

Compliance Report

14 June 2019

Generated by Acunetix
Description

ISO/IEC 27001 is an information security management system (ISMS) standard published in September 2013 by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC
27001:2013 - Information technology - Security techniques - Information security management systems - Requirements.

The objective of this standard is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining,
and improving an Information Security Management System.

Disclaimer

This document or any of its content cannot account for, or be included in any form of legal advice. The outcome of a vulnerability
scan (or security evaluation) should be utilized to ensure that diligent measures are taken to lower the risk of potential exploits
carried out to compromise data.

Legal advice must be supplied according to its legal context. All laws and the environments in which they are applied, are
constantly changed and revised. Therefore no information provided in this document may ever be used as an alternative to a
qualified legal body or representative.

Scan
URL http://192.168.1.207:8069/web/
Scan date 14/06/2019, 09:04:31
Duration 2 minutes, 59 seconds
Profile Full Scan

Compliance at a Glance

This section of the report is a summary and lists the number of alerts found according to individual compliance categories.

- Inventory of assets(8.1.1)
No alerts in this category

- Handling of assets(8.2.3)
Total number of alerts in this category: 1

- Access to networks and network services(9.1.2)


No alerts in this category

- Management of privileged access rights(9.2.3)


Total number of alerts in this category: 2

- Management of secret authentication information of users(9.2.4)


No alerts in this category

- Use of secret authentication information(9.3.1)


Total number of alerts in this category: 1

- Information access restriction(9.4.1)


Total number of alerts in this category: 1

- Secure log-on procedures(9.4.2)


No alerts in this category

- Password management system(9.4.3)


Total number of alerts in this category: 1

- Use of privileged utility programs(9.4.4)


No alerts in this category

- Access control to program source code(9.4.5)


No alerts in this category

- Separation of development, testing and operational environments(12.1.4)


No alerts in this category
- Controls against malware(12.2.1)
No alerts in this category

- Protection of log information(12.4.2)


Total number of alerts in this category: 1

- Administrator and operator logs(12.4.3)


Total number of alerts in this category: 1

- Installation of software on operational systems(12.5.1)


Total number of alerts in this category: 5

- Security of network services(13.1.1)


No alerts in this category

- Information transfer policies and procedures(13.2.1)


No alerts in this category

- Electronic messaging(13.2.3)
No alerts in this category

- Securing application services on public networks(14.1.2)


No alerts in this category

- Protecting application services transactions(14.1.3)


No alerts in this category

- Secure development policy(14.2.1)


No alerts in this category

- Protection of test data(14.3.1)


No alerts in this category

- Availability of information processing facilities(17.2.1)


No alerts in this category

- Protection of records(18.1.3)
Total number of alerts in this category: 1

- Privacy and protection of personally identifiable information(18.1.4)


Total number of alerts in this category: 1

- Regulation of cryptographic controls(18.1.5)


No alerts in this category
Compliance According to Categories: A Detailed Report

This section is a detailed report that explains each vulnerability found according to individual compliance categories.

(8.1.1)Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall
be drawn up and maintained.

No alerts in this category.

(8.2.3)Handling of assets

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme
adopted by the organization.

Total number of alerts in this category: 1

Alerts in this category

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(9.1.2)Access to networks and network services

Users shall only be provided with access to the network and network services that they have been specifically authorized to use.
No alerts in this category.

(9.2.3)Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.

Total number of alerts in this category: 2

Alerts in this category

HTM L form without CSRF protection

This alert requires manual confirmation

Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim
did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.

Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for more
information about the affected HTML form.

Base Score: 2.6


Access Vector: Network_accessible
Access Complexity: High
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 4.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CWE CWE-352
Affected item Web Server
Affected parameter
Variants Not available in the free trial

Login page password-guessing attack

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
CWE CWE-307
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(9.2.4)Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.

No alerts in this category.

(9.3.1)Use of secret authentication information

Users shall be required to follow the organization's practices in the use of secret authentication information.

Total number of alerts in this category: 1

Alerts in this category

Login page password-guessing attack

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.

Base Score: 5.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
CWE CWE-307
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(9.4.1)Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

Total number of alerts in this category: 1

Alerts in this category

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(9.4.2)Secure log-on procedures

Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on
procedure.

No alerts in this category.

(9.4.3)Password management system

Password management systems shall be interactive and shall ensure quality passwords.

Total number of alerts in this category: 1

Alerts in this category

Login page password-guessing attack

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.

Base Score: 5.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
CWE CWE-307
Affected item Web Server
Affected parameter
Variants Not available in the free trial
(9.4.4)Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly
controlled.

No alerts in this category.

(9.4.5)Access control to program source code

Access to program source code shall be restricted.

No alerts in this category.

(12.1.4)Separation of development, testing and operational environments

Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to
the operational environment.

No alerts in this category.

(12.2.1)Controls against malware

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user
awareness.

No alerts in this category.

(12.4.2)Protection of log information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Total number of alerts in this category: 1

Alerts in this category

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(12.4.3)Administrator and operator logs

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

Total number of alerts in this category: 1

Alerts in this category

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants Not available in the free trial
(12.5.1)Installation of software on operational systems

Procedures shall be implemented to control the installation of software on operational systems.

Total number of alerts in this category: 5

Alerts in this category

Vulnerable Javascript library

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.

Base Score: 6.4


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 6.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
CWE CWE-16
Affected item Web Server
Affected parameter
Variants Not available in the free trial

Vulnerable Javascript library

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.

Base Score: 6.4


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 6.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
CWE CWE-16
Affected item Web Server
Affected parameter
Variants Not available in the free trial

Cookie(s) without HttpOnly flag set

This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the
cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session
cookies.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter
Variants Not available in the free trial

Cookie(s) without Secure flag set

This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an important security protection for session cookies.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter
Variants Not available in the free trial

Login page password-guessing attack

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.

Base Score: 5.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
CWE CWE-307
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(13.1.1)Security of network services

Security mechanisms, service levels and management requirements of all network services shall be identified and included in
network services agreements, whether these services are provided in-house or outsourced.

No alerts in this category.

(13.2.1)Information transfer policies and procedures


Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all
types of communication facilities.

No alerts in this category.

(13.2.3)Electronic messaging

Information involved in electronic messaging shall be appropriately protected.

No alerts in this category.

(14.1.2)Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract
dispute and unauthorized disclosure and modification.

No alerts in this category.

(14.1.3)Protecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

No alerts in this category.

(14.2.1)Secure development policy

Rules for the development of software and systems shall be established and applied to developments within the organization.

No alerts in this category.

(14.3.1)Protection of test data

Test data shall be selected carefully, protected and controlled.

No alerts in this category.

(17.2.1)Availability of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

No alerts in this category.

(18.1.3)Protection of records

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with
legislatory, regulatory, contractual and business requirements.
Total number of alerts in this category: 1

Alerts in this category

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(18.1.4)Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation
where applicable.

Total number of alerts in this category: 1

Alerts in this category

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants Not available in the free trial

(18.1.5)Regulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

No alerts in this category.


Affected Items: A Detailed Report

This section provides full details of the types of vulnerabilities found according to individual affected items.

Web Server

HTM L form without CSRF protection

This alert requires manual confirmation

Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim
did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.

Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for more
information about the affected HTML form.

This alert belongs to the following categories: 9.2.3

Base Score: 2.6


Access Vector: Network_accessible
Access Complexity: High
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 4.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CWE CWE-352
Parameter Variations

Vulnerable Javascript library

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.

This alert belongs to the following categories: 12.5.1

Base Score: 6.4


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 6.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
CWE CWE-16
Parameter Variations

Vulnerable Javascript library

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.

This alert belongs to the following categories: 12.5.1

Base Score: 6.4


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 6.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
CWE CWE-16
Parameter Variations

Cookie(s) without HttpOnly flag set

This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the
cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session
cookies.

This alert belongs to the following categories: 12.5.1

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Parameter Variations

Cookie(s) without Secure flag set

This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an important security protection for session cookies.

This alert belongs to the following categories: 12.5.1

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Parameter Variations

Login page password-guessing attack

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.

This alert belongs to the following categories: 9.2.3, 9.3.1, 9.4.3, 12.5.1

Base Score: 5.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
CWE CWE-307
Parameter Variations

Session token in URL

This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.

This alert belongs to the following categories: 8.2.3, 9.4.1, 12.4.2, 12.4.3, 18.1.3, 18.1.4

Base Score: 0.0


Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
CWE CWE-200
Parameter Variations
Scanned items (coverage report)
http://192.168.1.207:8069/
http://192.168.1.207:8069/web
http://192.168.1.207:8069/web/binary
http://192.168.1.207:8069/web/binary/company_logo
http://192.168.1.207:8069/web/database
http://192.168.1.207:8069/web/database/backup
http://192.168.1.207:8069/web/database/get_list
http://192.168.1.207:8069/web/database/manager
http://192.168.1.207:8069/web/database/selector
http://192.168.1.207:8069/web/proxy
http://192.168.1.207:8069/web/proxy/load
http://192.168.1.207:8069/web/session
http://192.168.1.207:8069/web/session/get_lang_list
http://192.168.1.207:8069/web/session/get_session_info
http://192.168.1.207:8069/web/static
http://192.168.1.207:8069/web/static/lib
http://192.168.1.207:8069/web/static/lib/backbone
http://192.168.1.207:8069/web/static/lib/backbone/backbone.js
http://192.168.1.207:8069/web/static/lib/bootstrap
http://192.168.1.207:8069/web/static/lib/bootstrap/css
http://192.168.1.207:8069/web/static/lib/bootstrap/css/bootstrap.css
http://192.168.1.207:8069/web/static/lib/bootstrap/fonts
http://192.168.1.207:8069/web/static/lib/bootstrap/js
http://192.168.1.207:8069/web/static/lib/bootstrap/js/bootstrap.js
http://192.168.1.207:8069/web/static/lib/cleditor
http://192.168.1.207:8069/web/static/lib/cleditor/images
http://192.168.1.207:8069/web/static/lib/cleditor/jquery.cleditor.css
http://192.168.1.207:8069/web/static/lib/cleditor/jquery.cleditor.js
http://192.168.1.207:8069/web/static/lib/datejs
http://192.168.1.207:8069/web/static/lib/datejs/core.js
http://192.168.1.207:8069/web/static/lib/datejs/extras.js
http://192.168.1.207:8069/web/static/lib/datejs/globalization
http://192.168.1.207:8069/web/static/lib/datejs/globalization/en-US.js
http://192.168.1.207:8069/web/static/lib/datejs/parser.js
http://192.168.1.207:8069/web/static/lib/datejs/sugarpak.js
http://192.168.1.207:8069/web/static/lib/es5-shim
http://192.168.1.207:8069/web/static/lib/es5-shim/es5-shim.min.js
http://192.168.1.207:8069/web/static/lib/fontawesome
http://192.168.1.207:8069/web/static/lib/fontawesome/css
http://192.168.1.207:8069/web/static/lib/fontawesome/css/font-awesome.css
http://192.168.1.207:8069/web/static/lib/fontawesome/fonts
http://192.168.1.207:8069/web/static/lib/jquery
http://192.168.1.207:8069/web/static/lib/jquery.autosize
http://192.168.1.207:8069/web/static/lib/jquery.autosize/jquery.autosize.js
http://192.168.1.207:8069/web/static/lib/jquery.ba-bbq
http://192.168.1.207:8069/web/static/lib/jquery.ba-bbq/jquery.ba-bbq.js
http://192.168.1.207:8069/web/static/lib/jquery.blockUI
http://192.168.1.207:8069/web/static/lib/jquery.blockUI/jquery.blockUI.js
http://192.168.1.207:8069/web/static/lib/jquery.form
http://192.168.1.207:8069/web/static/lib/jquery.form/jquery.form.js
http://192.168.1.207:8069/web/static/lib/jquery.hotkeys
http://192.168.1.207:8069/web/static/lib/jquery.hotkeys/jquery.hotkeys.js
http://192.168.1.207:8069/web/static/lib/jquery.placeholder
http://192.168.1.207:8069/web/static/lib/jquery.placeholder/jquery.placeholder.js
http://192.168.1.207:8069/web/static/lib/jquery.scrollTo
http://192.168.1.207:8069/web/static/lib/jquery.scrollTo/jquery.scrollTo-min.js
http://192.168.1.207:8069/web/static/lib/jquery.textext
http://192.168.1.207:8069/web/static/lib/jquery.textext/jquery.textext.css
http://192.168.1.207:8069/web/static/lib/jquery.textext/jquery.textext.js
http://192.168.1.207:8069/web/static/lib/jquery.timeago
http://192.168.1.207:8069/web/static/lib/jquery.timeago/jquery.timeago.js
http://192.168.1.207:8069/web/static/lib/jquery.ui
http://192.168.1.207:8069/web/static/lib/jquery.ui.bootstrap
http://192.168.1.207:8069/web/static/lib/jquery.ui.bootstrap/css
http://192.168.1.207:8069/web/static/lib/jquery.ui.bootstrap/css/custom-theme
http://192.168.1.207:8069/web/static/lib/jquery.ui.bootstrap/css/custom-theme/images
http://192.168.1.207:8069/web/static/lib/jquery.ui.bootstrap/css/custom-theme/jquery-ui-1.9.0.custom.css
http://192.168.1.207:8069/web/static/lib/jquery.ui.notify
http://192.168.1.207:8069/web/static/lib/jquery.ui.notify/css
http://192.168.1.207:8069/web/static/lib/jquery.ui.notify/css/ui.notify.css
http://192.168.1.207:8069/web/static/lib/jquery.ui.notify/js
http://192.168.1.207:8069/web/static/lib/jquery.ui.notify/js/jquery.notify.js
http://192.168.1.207:8069/web/static/lib/jquery.ui.timepicker
http://192.168.1.207:8069/web/static/lib/jquery.ui.timepicker/css
http://192.168.1.207:8069/web/static/lib/jquery.ui.timepicker/css/jquery-ui-timepicker-addon.css
http://192.168.1.207:8069/web/static/lib/jquery.ui.timepicker/js
http://192.168.1.207:8069/web/static/lib/jquery.ui.timepicker/js/jquery-ui-timepicker-addon.js
http://192.168.1.207:8069/web/static/lib/jquery.ui/css
http://192.168.1.207:8069/web/static/lib/jquery.ui/css/smoothness
http://192.168.1.207:8069/web/static/lib/jquery.ui/css/smoothness/images
http://192.168.1.207:8069/web/static/lib/jquery.ui/js
http://192.168.1.207:8069/web/static/lib/jquery.ui/js/jquery-ui-1.9.1.custom.js
http://192.168.1.207:8069/web/static/lib/jquery.validate
http://192.168.1.207:8069/web/static/lib/jquery.validate/jquery.validate.js
http://192.168.1.207:8069/web/static/lib/jquery/jquery.js
http://192.168.1.207:8069/web/static/lib/py.js
http://192.168.1.207:8069/web/static/lib/py.js/lib
http://192.168.1.207:8069/web/static/lib/py.js/lib/py.js
http://192.168.1.207:8069/web/static/lib/qweb
http://192.168.1.207:8069/web/static/lib/qweb/qweb2.js
http://192.168.1.207:8069/web/static/lib/select2
http://192.168.1.207:8069/web/static/lib/select2/select2.css
http://192.168.1.207:8069/web/static/lib/select2/select2.js
http://192.168.1.207:8069/web/static/lib/spinjs
http://192.168.1.207:8069/web/static/lib/spinjs/spin.js
http://192.168.1.207:8069/web/static/lib/underscore
http://192.168.1.207:8069/web/static/lib/underscore.string
http://192.168.1.207:8069/web/static/lib/underscore.string/lib
http://192.168.1.207:8069/web/static/lib/underscore.string/lib/underscore.string.js
http://192.168.1.207:8069/web/static/lib/underscore/underscore.js
http://192.168.1.207:8069/web/static/src
http://192.168.1.207:8069/web/static/src/css
http://192.168.1.207:8069/web/static/src/css/base.css
http://192.168.1.207:8069/web/static/src/css/data_export.css
http://192.168.1.207:8069/web/static/src/css/full.css
http://192.168.1.207:8069/web/static/src/font
http://192.168.1.207:8069/web/static/src/img
http://192.168.1.207:8069/web/static/src/js
http://192.168.1.207:8069/web/static/src/js/boot.js
http://192.168.1.207:8069/web/static/src/js/chrome.js
http://192.168.1.207:8069/web/static/src/js/core.js
http://192.168.1.207:8069/web/static/src/js/data.js
http://192.168.1.207:8069/web/static/src/js/data_export.js
http://192.168.1.207:8069/web/static/src/js/formats.js
http://192.168.1.207:8069/web/static/src/js/openerpframework.js
http://192.168.1.207:8069/web/static/src/js/pyeval.js
http://192.168.1.207:8069/web/static/src/js/search.js
http://192.168.1.207:8069/web/static/src/js/testing.js
http://192.168.1.207:8069/web/static/src/js/tour.js
http://192.168.1.207:8069/web/static/src/js/view_form.js
http://192.168.1.207:8069/web/static/src/js/view_list.js
http://192.168.1.207:8069/web/static/src/js/view_list_editable.js
http://192.168.1.207:8069/web/static/src/js/view_tree.js
http://192.168.1.207:8069/web/static/src/js/views.js
http://192.168.1.207:8069/web/webclient
http://192.168.1.207:8069/web/webclient/bootstrap_translations

You might also like