The Detailed Results section shows all detected vulnerabilities and potential vulnerabilities sorted by host.
Hosts are listed by IP address with the DNS and NetBIOS hostnames shown in parenthesis, when available. The Operating System detected on the host is displayed to the far right.
For each host, a list of the detected vulnerabilities (red), potential vulnerabilities (yellow) and information gathered (blue) appears with vulnerability information described below.
QID. The Qualys ID number assigned to the vulnerability.
Category. The category the vulnerability is assigned to. See Vulnerability Categories for information.
CVE ID. If available, this is a link to the CVE name(s) associated with this vulnerability check. CVE (Common Vulnerabilities and Exposures) is a list of common names for publicly known vulnerabilities and exposures. Through open and collaborative discussions, the CVE Editorial board determines which vulnerabilities or exposures are included in CVE.
Vendor Reference. A reference number released by the vendor in regards to the vulnerability, such as a Microsoft Security Bulletin like MS03-046. This may be a link directly to the vendor's web site.
Bugtraq ID. The Bugtraq ID number assigned to the vulnerability by SecurityFocus, a vendor-neutral web site that provides security information to members of the security community. Select the Bugtraq ID to link directly to the SecurityFocus web site.
Service Modified. The date the vulnerability was last modified by the service. The Service Modified date is updated when any of the following attributes has changed: severity level, threat description, impact description, solution description, patch availability, CVSS Base score, CVSS Temporal score, authentication requirement, or PCI relevance.
User Modified. The date the vulnerability was last modified by a user. The User Modified date appears when a user has updated any of the following attributes: severity level, threat comment, impact comment or solution comment.
Edited. Identifies whether the vulnerability was edited by a user: Yes or No.
CVSS stands for The Common Vulnerability Scoring System. The service uses CVSS version 2.0 to calculate the PCI Pass/Fail Criteria.
CVSS Base. The CVSS Base score assigned to a vulnerability represents the fundamental, unchanging qualities of the vulnerability. The CVSS Base score that is displayed was provided by NIST when possible.
In some cases the CVSS Base score that is displayed is not supplied by NIST. When the service looked up the latest NIST score for the vulnerability, as published in the National Vulnerability Database (NVD), NIST either listed the CVSS Base score as 0 or did not provide a score in the NVD. In this case, the service determined that the severity of the vulnerability warranted a higher CVSS Base score. The score provided by the service is displayed.
CVSS Temporal. The CVSS Temporal score represents time dependent qualities of the vulnerability.
FAIL. This flag indicates the vulnerability failed PCI compliance. The vulnerabilities that show the FAIL status must be remediated to pass the PCI compliance requirements. The vulnerabilities that do not show a PCI status are vulnerabilities that the PCI compliance service found on the hosts. Although these vulnerabilities are not in scope for PCI, we do recommend that you remediate the vulnerabilities in severity order.
The PCI severity level appears as: HIGH, MEDIUM or LOW. This severity is calculated based on the CVSS version 2.0 score assigned to the vulnerability.
See PCI Pass/Fail Criteria for information on the calculation of the PCI pass/fail status and PCI severity levels.
Important: The service uses the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score.
Threat. A description of the threat posed by the vulnerability. The threat description is provided by the service.
Impact. A description of the impact, in other words the possible consequences, that may occur if the vulnerability is successfully exploited. The impact description is provided by the service.
Solution. A description of the suggested solution to fix the vulnerability. This may include a link to a patch, update, the vendor's Web site, or a workaround. The solution description is provided by the service.
Results. Specific scan test results for the vulnerability, when returned by the scanning engine.