VScanner's Knowledge Base
  • Welcome to VScanner Documentation
  • VScanner API
    • Introduction
      • Classification
    • Authentication
    • Vulnerability Scanner
      • Scans
        • Explorer Preferences
          • Features
        • Website Vulnerability Preferences
          • Features
        • Scan API Preferences
          • Features
        • Subdomain Finder
    • PDF Report Generation
  • FAQ (Frequently Asked Questions)
    • Account & Subscription
      • Can I change my subscription at any time?
      • Can I delete my account at any time?
      • Which payment methods does VScanner accept?
    • Scans & Reports
      • Can I export the scan result to PDF?
      • I fixed the vulnerabilities found on the last scan, how do I run a new one?
      • How often can I run a scan?
      • How long will it take for a scan to complete?
      • What is a target on VScanner?
      • How to scan a website on VScanner?
      • How does VScanner work?
    • Web Security Vulnerabilities
      • How to protect from cyber attacks?
      • List of OWASP TOP 10 vulnerabilities for 2021-2022
      • What are the most common vulnerabilities on websites?
      • How to fix - Broken Access Control
      • How to fix - Extension Vulnerabilities
      • How to fix - Plugin Vulnerabilities
      • How to fix - CMS Vulnerability
      • How to fix - Weak HTTPS Configurations
      • How to fix - Invalid HTTPS Certificates
      • How to fix - Session Failure
      • How to fix - Validation Failure
      • How to fix - Authorization Failure
      • How to fix - Weak Authentication
      • How to fix - Sensitive Data Exposure
      • How to fix - Cross-Site Request Forgery (CSRF)
      • How to fix - Local File Injection (LFI)
      • How to fix - Remote File Injection (RFI)
      • How to fix - Cross-Site Scripting (XSS)
      • How to fix - Command Injection
      • How to fix - SQL Injection
Powered by GitBook
On this page
  • Introduction
  • Vulnerability Severity Classification
  • Vulnerabilities with CVE and CVSS
  • Vulnerabilities without CVE
  • Integration with MITRE Standards
  • Conclusion
  1. VScanner API
  2. Introduction

Classification

Vulnerability Scanning Documentation

PreviousIntroductionNextAuthentication

Last updated 19 hours ago

Introduction

This document describes the process and standards used by our vulnerability scanner to identify and classify security vulnerabilities. It details key concepts such as , , , and , and explains how severities are determined based on FIRST.org standards.

Vulnerability Severity Classification

Our vulnerability scanner adheres to the standards set by for classifying vulnerability severity, as follows: Low, Medium, High, and Critical . These levels are assigned based on the following criteria:

Vulnerabilities with CVE and CVSS

When a vulnerability has an associated CVE and CVSS score, the severity is determined directly by the CVSS score, according to the standard ranges:

Severity Level

CVSS Score

Low

0.1–3.9

Medium

4.0–6.9

High

7.0–8.9

Critical

9.0–10.0

This approach ensures that classification is consistent with global cybersecurity standards, enabling effective prioritization based on severity.

Vulnerabilities without CVE

For vulnerabilities that do not have an associated CVE, the scanner automatically classifies them as "Warning" for manual review. This custom level is used because:

  • The absence of a CVE means there is no standardized CVSS score to determine severity.

  • These vulnerabilities can pose significant risks, depending on the context, and require manual assessment to determine their true impact.

  • The “Warning” rating serves as a warning to ensure that these vulnerabilities receive human attention, preventing them from being overlooked.

This strategy reflects a cautious approach, recognizing that vulnerabilities without CVEs can be just as dangerous as those with known identifiers, especially on critical systems.

The scanner uses MITRE standards to ensure consistency in identifying and categorizing vulnerabilities. Each detected vulnerability is associated with:

  • CWE: Identifies the underlying weakness in the software, such as an input validation failure.

  • CVE: When available, provides the unique identifier of the vulnerability.

  • CVSS: Include the numeric score and corresponding severity level (Low, Medium, High, Critical) in a separate field for clarity.

This integration with MITRE standards ensures that the scanner produces detailed reports that are compliant with cybersecurity best practices.

Conclusion

Our vulnerability scanner is designed to accurately and consistently identify and classify security vulnerabilities using industry standards such as CVE, CVSS, and CWE, maintained by MITRE and FIRST.org. The inclusion of a custom “Warning” level for non-CVE vulnerabilities reflects a cautious approach, ensuring that potential risks are not overlooked.

Integration with Standards

and standards are updated regularly and VScanner adapts to these changes to stay compliant.

MITRE
CVE
CVSS
CWE
FIRST.org
MITRE
FIRST.org
MITRE