Environment Configuration File Detected

An environment configuration file .env has been detected on the web application by the scanner. It may be possible for an attacker to view sensitive information database login and password or API keys for example and then conduct further attacks. No source data...

Missing Referrer Policy

Referrer Policy provides mechanisms to websites to restrict referrer information sent in the referer header that browsers will be allowed to add. No Referrer Policy header or metatag configuration has been detected. No source data...

Apache Tomcat Manager Detected

Apache Tomcat Manager has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality. No source da...

Missing Permissions Policy

Permissions Policy provides mechanisms to websites to restrict the use of browser features in its own frame and in iframes that it embeds. No source data...

WordPress 4.3.x < 4.3.19 Cross-Site Scripting

According to its self-reported version number, the detected WordPress application is affected by a cross-site scripting XSS vulnerability due to insufficient input sanitization in comment. Note that the scanner has not tested for these issues but has instead relied only on the application's...

PHP 7.3.x < 7.3.3 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.27 or 7.2.x prior to 7.2.16 or 7.3.x prior to 7.3.3. It is, therefore, affected by multiple vulnerabilities. Note that the scanner has not tested for these issues but has instead relied only on the...

Permissive Content Security Policy Detected

Content Security Policy CSP is a web security standard that helps to mitigate attacks like cross-site scripting XSS, clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load. One or several permissive directives have been...

Missing 'Cache-Control' Header

The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms. The server did not return or returned an invalid 'Cache-Control' header which means page containing sensitive information password, credit card, personal data, social security number, etc could be stored on clie...

Bootstrap 4.x < 4.3.1 Cross-Site Scripting

According to its self-reported version number, Bootstrap is 3.x prior 3.4.1 or 4.x prior to 4.3.1. Therefore, it may be affected by a Cross-Site Scripting XSS vulnerability via data-template attribute for tooltip and popover plugins. Note that the scanner has not tested for these issues but has...

Deprecated Content Security Policy

Content Security Policy CSP is a web security standard that helps to mitigate attacks like cross-site scripting XSS, clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load. X-Content-Security-Policy and X-Webkit-CSP HTTP...

Missing Content Security Policy

Content Security Policy CSP is a web security standard that helps to mitigate attacks like cross-site scripting XSS, clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load. No CSP header has been detected on this host...

Apache Struts 2 Config Browser Detected

Apache Struts 2 Config Browser Plugin is a module to help view Struts application's configuration at runtime. This plugin has been detected on the web application by the scanner. It may be possible for an attacker to view Apache Struts version, loaded configuration or accessible action URLs for...

HTTP to HTTPS Redirect Not Enabled

HTTPS is enabled on the website however HTTP requests are not redirected to HTTPS. Communications are not encrypted if users doesn't explicitly access to HTTPS version of the website. Note: This plugin does not handle customs ports, and therefore only performs checks when a scan is run on standar...

lighttpd < 1.4.51 Multiple Vulnerabilities

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.51. It is, therefore, affected by the following vulnerabilities according to its release notes: - An unspecified header processing vulnerability in core - An unspecified username vulnerability in moduserdi...

Drupal 8.6.x < 8.6.6 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - A flaw exists in third-party PEAR ArchiveTar library. - A flaw exists in PHP's built-in phar stream wrapper that could lead to a remote code execution when performing file...

PHP 5.6.x < 5.6.37 exif_thumbnail_extract() DoS

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.37 or 7.1.x prior to 7.1.20. It is, therefore, affected by a denial of service vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's...

Drupal 7.x < 7.62 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - A flaw exists in third-party PEAR ArchiveTar library. - A flaw exists in PHP's built-in phar stream wrapper that could lead to a remote code execution when performing file...

Git Repository Detected

The web server on the remote host allows read access to a Git repository. This potential flaw can be used to access content from the web server that might otherwise be private. No source data...

PHP 7.1.x < 7.1.13 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.13. It is, therefore, affected by the multiple vulnerabilities. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. N...

PHP 5.6.x < 5.6.32 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.32. It is, therefore, affected by multiple vulnerabilities. Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version numbe...