Web Application Findings Details

Required User Role: Read-Only, Basic User, Scan Operator, Standard User, Scan Manager, or Administrator

On the Findings page, select a Web Application finding to open a details pane. Then, click to expand the pane.

The upper part of the Web Application Details pane contains the following information.

Attribute

Description

Vulnerability Name

The name of the vulnerability, displayed as the title of the details pane.

Finding ID

The unique identifier for the specific finding instance.

Web App Scanning Plugin ID

The ID of the Web Application Scanning plugin that detected the vulnerability. Click the ID to open the plugin details on the Tenable Plugin Search page.

Severity

The severity level of the vulnerability, displayed as a color-coded badge. Possible values are Critical, High, Medium, Low, and Info.

State

The current state of the finding. Possible values are Active, New, Resurfaced, and Fixed.

VPR

The Vulnerability Priority Rating score (0–10), indicating the likelihood of exploitation.

CVSSv2

The CVSSv2 base score (0–10).

ACR

(Requires Tenable One / Tenable Lumin license) The Tenable-defined Asset Criticality Rating (ACR) is an integer from 1 to 10.

ACR helps prioritize remediation by identifying which vulnerabilities affect your most critical assets.

The lower part of the Web Application Details pane is divided into tabs.

Details Tab

The Details tab breaks down information about the web application finding. Sections appear only when the finding contains the relevant data.

Section

Description

Description A summary of the vulnerability from the plugin, including what the vulnerability is and its potential impact. Select Read more to expand the full description.
Plugin Output The raw output that the plugin returns when it detects the vulnerability on the target URL. Content varies by plugin.
Vulnerability Information

Information about the vulnerability, including:

  • Severity — Severity level: Info, Low, Medium, High, or Critical.
  • Exploited With — Exploit frameworks or tools known to include an exploit for the vulnerability (for example, Canvas, Metasploit).
  • Exploited By Malware — Indicates whether known malware exploits the vulnerability.
Fixes

Remediation information for the vulnerability, including:

  • Solution — Recommended remediation action provided by the plugin.
  • See Also — Links to external references and advisories related to the vulnerability.
Vulnerability Detection Timeline

Timeline data for when the vulnerability was detected, including:

  • First Seen — Date and time Tenable first detected the vulnerability on this asset.
  • Last Seen — Date and time Tenable most recently detected the vulnerability on this asset.
  • Vuln SLA Date — SLA deadline date for remediating the vulnerability, based on your configured SLA policy.
  • Age — Number of days since Tenable first detected the vulnerability.
VPR Key Drivers

The factors that contribute to the VPR score, including:

  • VPR — Vulnerability Priority Rating score (0–10).
  • VPR Key Driver On CISA KEV — Indicates whether the vulnerability appears on the CISA Known Exploited Vulnerabilities catalog.
Plugin Details

Technical details about the Web Application Scanning plugin that detected the vulnerability, including:

  • Plugin Published — Date Tenable first published the plugin.
  • Plugin Updated — Date Tenable last updated the plugin.
  • Plugin Family — Plugin family category (for example, Cross Site Request Forgery).
Risk Information

Risk scoring and classification for the vulnerability, including:

  • Risk Factor — Overall risk classification (for example, Critical, High, Medium, Low).
  • CVSSv4 Base Score — CVSSv4 base score (0–10).
  • CVSSv4 Vector — CVSSv4 vector string describing the scoring characteristics.
  • CVSSv3 Base Score — CVSSv3 base score (0–10).
  • CVSSv3 Vector — CVSSv3 vector string describing the scoring characteristics.
  • CVSSv2 Base Score — CVSSv2 base score (0–10).
  • CVSSv2 Vector — CVSSv2 vector string.
  • Risk Modified — Indicates whether a recast or accept rule modified the risk.
Attachments Files captured during the web application scan and attached to the finding, such as HTTP request and response files. Click a file name to download it.
Identification

Information identifying the scanned target, including:

  • URL — The URL of the target web application where Tenable detected the vulnerability.
  • HTTP Request — The HTTP request that triggered the finding, including the request method, path, and headers. Select Read more to expand the full request.
References External security standard identifiers associated with the vulnerability, such as CAPEC, CWE, DISA STIG, OWASP, OWASP API, OWASP ASVS, NIST, HIPAA, PCI DSS, and ISO identifiers.

Asset Summary Tab

The Asset Summary tab contains details about the asset associated with the finding.

Section Description
Asset

Information about the affected asset, including:

  • Asset Name — Name of the asset (typically the target domain or hostname).
  • Asset ID — Unique identifier for the asset.
  • Public — Indicates whether the asset is publicly accessible.
  • IPv4 Addresses — IPv4 addresses associated with the asset.
  • Related Findings — The number of other findings associated with the same asset.

Click Open in Assets to view the full asset record in Explore > Assets.

Tags Tags applied to the asset. Tags appear only when assigned to the asset.
Last Seen

Information about when the asset was last identified on a scan, including:

  • First Seen — Date and time a scan first detected the asset.
  • Last Seen — Date and time a scan most recently detected the asset.
  • Last Licensed Scan — Date and time of the most recent licensed scan of the asset.
  • Sources — Scan sources that have observed the asset (for example, Web Application).