Web Application Findings Details
Required User Role: Read-Only, Basic User, Scan Operator, Standard User, Scan Manager, or Administrator
On the Findings page, select a Web Application finding to open a details pane. Then, click
to expand the pane.
The upper part of the Web Application Details pane contains the following information.
|
Attribute |
Description |
|---|---|
|
Vulnerability Name |
The name of the vulnerability, displayed as the title of the details pane. |
|
Finding ID |
The unique identifier for the specific finding instance. |
|
Web App Scanning Plugin ID |
The ID of the Web Application Scanning plugin that detected the vulnerability. Click the ID to open the plugin details on the Tenable Plugin Search page. |
|
Severity |
The severity level of the vulnerability, displayed as a color-coded badge. Possible values are Critical, High, Medium, Low, and Info. |
|
State |
The current state of the finding. Possible values are Active, New, Resurfaced, and Fixed. |
|
VPR |
The Vulnerability Priority Rating score (0–10), indicating the likelihood of exploitation. |
|
CVSSv2 |
The CVSSv2 base score (0–10). |
|
ACR |
(Requires Tenable One / Tenable Lumin license) The Tenable-defined Asset Criticality Rating (ACR) is an integer from 1 to 10. ACR helps prioritize remediation by identifying which vulnerabilities affect your most critical assets. |
The lower part of the Web Application Details pane is divided into tabs.
Details Tab
The Details tab breaks down information about the web application finding. Sections appear only when the finding contains the relevant data.
|
Section |
Description |
|---|---|
| Description | A summary of the vulnerability from the plugin, including what the vulnerability is and its potential impact. Select Read more to expand the full description. |
| Plugin Output | The raw output that the plugin returns when it detects the vulnerability on the target URL. Content varies by plugin. |
| Vulnerability Information |
Information about the vulnerability, including:
|
| Fixes |
Remediation information for the vulnerability, including:
|
| Vulnerability Detection Timeline |
Timeline data for when the vulnerability was detected, including:
|
| VPR Key Drivers |
The factors that contribute to the VPR score, including:
|
| Plugin Details |
Technical details about the Web Application Scanning plugin that detected the vulnerability, including:
|
| Risk Information |
Risk scoring and classification for the vulnerability, including:
|
| Attachments | Files captured during the web application scan and attached to the finding, such as HTTP request and response files. Click a file name to download it. |
| Identification |
Information identifying the scanned target, including:
|
| References | External security standard identifiers associated with the vulnerability, such as CAPEC, CWE, DISA STIG, OWASP, OWASP API, OWASP ASVS, NIST, HIPAA, PCI DSS, and ISO identifiers. |
Asset Summary Tab
The Asset Summary tab contains details about the asset associated with the finding.
| Section | Description |
|---|---|
| Asset |
Information about the affected asset, including:
Click Open in Assets to view the full asset record in Explore > Assets. |
| Tags | Tags applied to the asset. Tags appear only when assigned to the asset. |
| Last Seen |
Information about when the asset was last identified on a scan, including:
|