August 27, 2024

Vulnerability Scan
Report
prepared by
HostedScan Security

hostedscan.com
HostedScan Security Vulnerability Scan Report

Overview

1 Executive Summary 3

2 Vulnerabilities By Target 4

3 Network Vulnerabilities 6

4 Glossary 11

hostedscan.com 2
Executive Summary Vulnerability Scan Report

1 Executive Summary
Vulnerability scans were conducted on select servers, networks, websites, and applications. This report contains the
discovered potential vulnerabilities from these scans. Vulnerabilities have been classified by severity. Higher severity
indicates a greater risk of a data breach, loss of integrity, or availability of the targets.

1.1 Total Vulnerabilities

Below are the total number of vulnerabilities found by severity. Critical vulnerabilities are the most severe and should
be evaluated first. An accepted vulnerability is one which has been manually reviewed and classified as acceptable
to not fix at this time, such as a false positive detection or an intentional part of the system's architecture.

Critical High Medium Low Accepted

0 0 2 2 0
50% 50%

1.2 Report Coverage

This report includes findings for 1 target scanned. Each target is a single URL, IP address, or fully qualified domain
name (FQDN).

Vulnerability Categories

4
Network Vulnerabilities

hostedscan.com 3
Vulnerabilities By Target Vulnerability Scan Report

2 Vulnerabilities By Target
This section contains the vulnerability findings for each scanned target. Prioritization should be given to the
targets with the highest severity vulnerabilities. However, it is important to take into account the purpose of each
system and consider the potential impact a breach or an outage would have for the particular target.

2.1 Targets Summary

The number of potential vulnerabilities found for each target by severity.

Target Critical High Medium Low Accepted

https://www.powtoon.com/ 0 0 2 2 0

hostedscan.com 4
Vulnerabilities By Target | https://www.powtoon.com/ Vulnerability Scan Report

2.2 Target Breakdowns

Details for the potential vulnerabilities found for each target by scan type.

https://www.powtoon.com/
Target

Total Risks

0 0 2 2 0

50% 50%

Network Vulnerabilities Severity First Detected Last Detected

Missing 'HttpOnly' Cookie Attribute (HTTP) Medium 61 days ago 0 days ago
cvss score: 5.0

WordPress < 6.5 Private Information Exposure

Vulnerability Medium 61 days ago 0 days ago
cvss score: 5.0

TCP Timestamps Information Disclosure Low 61 days ago 0 days ago

cvss score: 2.6

ICMP Timestamp Reply Information Disclosure Low 61 days ago 0 days ago
cvss score: 2.1

hostedscan.com 5
Network Vulnerabilities Vulnerability Scan Report

3 Network Vulnerabilities
The OpenVAS network vulnerability scan tests servers and internet connected devices for over 150,000
vulnerabilities. OpenVAS uses the Common Vulnerability Scoring System (CVSS) to quantify the severity of findings.
0.0 is the lowest severity and 10.0 is the highest.

3.1 Total Vulnerabilities

Total number of vulnerabilities found by severity.

Critical High Medium Low Accepted

0 0 2 2 0
50% 50%

3.2 Vulnerabilities Breakdown

Summary list of all detected vulnerabilities.

Title Severity CVSS Score Open Accepted

Missing 'HttpOnly' Cookie Attribute (HTTP) Medium 5.0 1 0

WordPress < 6.5 Private Information Exposure Vulnerability Medium 5.0 1 0

TCP Timestamps Information Disclosure Low 2.6 1 0

ICMP Timestamp Reply Information Disclosure Low 2.1 1 0

hostedscan.com 6
Network Vulnerabilities | Missing 'HttpOnly' Cookie Attribute (HTTP) Vulnerability Scan Report

3.3 Vulnerability Details

Detailed information about each potential vulnerability found by the scan.

Missing 'HttpOnly' Cookie Attribute (HTTP)

SEVERITY AFFECTED TARGETS LAST DETECTED CVSS SCORE

Medium 1 target 0 days ago 5.0

Description
The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute for one or more sent HTTP cookie.
The flaw exists if a session cookie is not using the 'HttpOnly' cookie attribute.

This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Solution
- Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create an override for this result if there is
none (this can't be checked automatically by this VT)

References
https://www.rfc-editor.org/rfc/rfc6265#section-5.2.6
https://owasp.org/www-community/HttpOnly
https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

Vulnerable Target First Detected Last Detected

https://www.powtoon.com/ 61 days ago 0 days ago

hostedscan.com 7
Network Vulnerabilities | WordPress < 6.5 Private Information Exposure Vulnerability Vulnerability Scan Report

WordPress < 6.5 Private Information Exposure

Vulnerability
SEVERITY AFFECTED TARGETS LAST DETECTED CVSS SCORE

Medium 1 target 0 days ago 5.0

Description
WordPress is prone to a private information exposure via 'redirect_guess_404_permalink()'.
When guessing the proper URL to redirect a 404, WordPress only considers the post statuses and not the proper post type privacy
settings, leading to potential information disclosure.
This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to
'false'.

Solution
Update to version 6.5 or later.
Note: As of 04/2024 the security fix is only available in version 6.5 and haven't been 'backported' to older versions yet.

References
CVE-2023-5692
https://core.trac.wordpress.org/ticket/59795
https://core.trac.wordpress.org/changeset/57645
https://bugzilla.redhat.com/show_bug.cgi?id=2273662
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6f993b-ce09-4050-84a1-cbe9953f36b1
https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-plugin-6-4-3-sensitive-information-exposure-via-redirect-
guess-404-permalink-vulnerability

Vulnerable Target First Detected Last Detected

https://www.powtoon.com/ 61 days ago 0 days ago

hostedscan.com 8
Network Vulnerabilities | TCP Timestamps Information Disclosure Vulnerability Scan Report

TCP Timestamps Information Disclosure

SEVERITY AFFECTED TARGETS LAST DETECTED CVSS SCORE

Low 1 target 0 days ago 2.6

Description
The remote host implements TCP timestamps and therefore allows to compute the uptime.

The remote host implements TCP timestamps, as defined by RFC1323/RFC7323.

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps

References
https://datatracker.ietf.org/doc/html/rfc1323
https://datatracker.ietf.org/doc/html/rfc7323
https://web.archive.org/web/20151213072445/http://www.microsoft.com/en-us/download/details.aspx?id=9152
https://www.fortiguard.com/psirt/FG-IR-16-090

Vulnerable Target First Detected Last Detected

https://www.powtoon.com/ 61 days ago 0 days ago

hostedscan.com 9
Network Vulnerabilities | ICMP Timestamp Reply Information Disclosure Vulnerability Scan Report

ICMP Timestamp Reply Information Disclosure

SEVERITY AFFECTED TARGETS LAST DETECTED CVSS SCORE

Low 1 target 0 days ago 2.1

Description
The remote host responded to an ICMP timestamp request.
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the
sender of the Timestamp as well as a receive timestamp and a transmit timestamp.

This information could theoretically be used to exploit weak time-based random number generators in other services.

Solution
Various mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a firewall, and block ICMP packets passing through the firewall in either direction (either completely or only
for untrusted networks)

References
CVE-1999-0524
https://datatracker.ietf.org/doc/html/rfc792
https://datatracker.ietf.org/doc/html/rfc2780

Vulnerable Target First Detected Last Detected

https://www.powtoon.com/ 61 days ago 0 days ago

hostedscan.com 10
Glossary Vulnerability Scan Report

4 Glossary
Accepted Vulnerability Vulnerability
An accepted vulnerability is one which has been manually A weakness in the computational logic (e.g., code) found
reviewed and classified as acceptable to not fix at this in software and hardware components that, when
time, such as a false positive scan result or an intentional exploited, results in a negative impact to confidentiality,
part of the system's architecture. integrity, or availability. Mitigation of the vulnerabilities in
this context typically involves coding changes, but could
Fully Qualified Domain Name (FQDN) also include specification changes or even specification
deprecations (e.g., removal of affected protocols or
A fully qualified domain name is a complete domain name
functionality in their entirety).
for a specific website or service on the internet. This
includes not only the website or service name, but also the
top-level domain name, such as .com, .org, .net, etc. For Target
example, 'www.example.com' is an FQDN. A target represents target is a single URL, IP address, or
fully qualified domain name (FQDN) that was scanned.
Network Vulnerabilities
The OpenVAS network vulnerability scan tests servers and Severity
internet connected devices for over 150,000 Severity represents the estimated impact potential of a
vulnerabilities. OpenVAS uses the Common Vulnerability particular vulnerability. Severity is divided into 5
Scoring System (CVSS) to quantify the severity of categories: Critical, High, Medium, Low and Accepted.
findings. 0.0 is the lowest severity and 10.0 is the highest.
CVSS Score
The CVSS 3.0 score is a global standard for evaluating
vulnerabilities with a 0 to 10 scale. CVSS maps to threat
levels:
0.1 - 3.9 = Low
4.0 - 6.9 = Medium
7.0 - 8.9 = High
9.0 - 10.0 = Critical

hostedscan.com 11
 This report was prepared using

HostedScan Security ®
For more information, visit hostedscan.com

Founded in Seattle, Washington in 2019, HostedScan, LLC. is

dedicated to making continuous vulnerability scanning and risk
management much more easily accessible to more businesses.

HostedScan, LLC.

2212 Queen Anne Ave N

Suite #521 Terms & Policies
Seattle, WA 98109 [email protected]

hostedscan.com 12