The Vulnerabilities page in BreachSight reports on vulnerabilities which may affect the software running on your websites. The VendorRisk module reports the same information for your vendors. The vulnerabilities reported on this page have all been published to the Common Vulnerabilities and Exposures (CVE) database, a list of publicly disclosed cybersecurity vulnerabilities. Each published vulnerability is given a CVE ID, as shown in Cyber Risk. See cve.mitre.org for more information.
The first step in identifying vulnerabilities is to determine the specific software versions being used. This is obtained from information exposed by details such as HTTP headers and website content. Once a software version has been determined, a lookup is performed against the public CVE database. Any matches found for that software version are then linked by Cyber Risk to the website running that software.
This does not guarantee that the website is vulnerable, only that it may be vulnerable under certain conditions. The details of the vulnerability must be reviewed to properly assess the risk to your website. To help assess the risk, the CVSS score (Common Vulnerability Scoring System) is also reported by Cyber Risk. This is a published standard developed to capture the principal characteristics of a vulnerability and produce a numerical score between 0 and 10 reflecting its severity.
Running software with publicly disclosed vulnerabilities presents known weaknesses for an attacker to exploit. Software should be patched regularly to mitigate against this risk. Additionally, steps should be taken where possible to ensure software versions running on your websites are not identifiable through HTTP headers, or other means. This makes them harder to identify as targets for known vulnerabilities.