The severity level assigned to a vulnerability tells you the security risk associated with its exploitation.
Confirmed vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a confirmed vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited confirmed vulnerability could still lead to the web application being used to launch attacks against users of the site.
Potential Vulnerabilities indicate that the scanner observed a weakness or error that is commonly used to attack a web application, and the scanner was unable to confirm if the weakness or error could be exploited. Where possible, the QID's description and results section include information and hints for following-up with manual analysis. For example, the exploitability of a QID may be influenced by characteristics that the scanner cannot confirm, such as the web application's network architecture, or the test to confirm exploitability requires more intrusive testing than the scanner is designed to conduct.
Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.
See information gathered severity levels
Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.
See sensitive content severity levels
Vulnerabilities assigned a half red / half yellow severity level (such as ) in the KnowledgeBase, represent vulnerabilities that may be confirmed in some cases and not confirmed in other cases because of various factors affecting scan results. If the vulnerability is confirmed during a scan, it appears as a red vulnerability in the results. If it cannot be confirmed, it appears as a yellow potential vulnerability in the results. Additionally, scans may not result in enough information for confirming certain vulnerabilities due to the scan options applied to the scan, and the services running at the time of the scan.