English

Deutsch

English

Deutsch
Guidance on vulnerabilities

Guidance on vulnerabilities

Here you will find guidance and solutions for frequent vulnerabilities

Is TLSv1.0 or TLSv1.1 PCI DSS compliant?

No, TLS 1.0 and TLS 1.1 have not been considered PCI DSS compliant since March 31, 2021. Use only TLS 1.2 or 1.3 to meet current security standards.

Can confirmed false positives be removed from the reports?

No, false positives cannot be removed retroactively. They must be commented as such in the report.

Finding: "Possible Scan Interference"

Perform a rescan. If the problem persists, comment on this as a false positive in English.

Finding: "Not alive – No Vulnerabilities were found for this Component"

The scanner was unable to detect the system, possibly because a firewall is blocking access. Check accessibility and, if necessary, perform a rescan with the “No pre-ping test (slow)" profile.

Finding: "Certificate SHA1 Signature Collision Vulnerability"

The entire certificate chain is examined here. If only the root certificate is using the SHA1 algorithm, please add a false positive comment to explain this.

Finding: "Server stopped responding"

There may be various causes for this. Check whether the scanner was blocked by an active firewall or if the target system was overloaded and became unreachable.

If the cookie does not contain sensitive information, mark the finding as a false positive and provide an explanation in the comment—in English, please.

Finding: "Outdated Software"

The scanner tries to determine the software’s current patch level based on the version number. However, it is possible that all patches have been applied but the version number has not changed ("backport"). If this is the case, it can be commented accordingly. Otherwise, the software must be updated and a subsequent rescan performed to verify this.

Finding: "Remote Management Service Accepting Unencrypted Credentials Detected"

A service has been identified that communicates without encryption. This does not comply with PCI DSS requirements.
Please check whether the service truly needs to be externally accessible or if its use can be limited to internal networks. If the service is still required, we strongly recommend switching to an encrypted alternative (e.g., SFTP for FTP). If this is not possible, please justify this in the comment and briefly explain what the service is used for and what protective measures are implemented.

Finding: "Database Instance Detected"

According to PCI guidelines, databases that process or store credit card data must not be directly accessible from the Internet. If this is not the case, please comment accordingly.