Hi,
I am having issue with payment system not getting processed correctly.
Trustwave from Card processing company sent me this PDF and wanted to share this.
Please reply asap for this critical issue.
-- PDF contents
1 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat AJP Protocol
Request Spoofing Vulnerability,
CVE-2011-3190
High 7.50 Fail
Confidential Information: This document may contain information that is privileged, confidential or otherwise protected
from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without
prior permission of Trustwave and ANGELWINECLUB COM.
Copyright © 2015 Trustwave Holdings, Inc., All rights reserved.
Page 3 of 126
Report Date: 2015-10-22
Vulnerability Scan Report: Executive Summary
# IP Address Vulnerabilities Noted Severity CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability
2 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat TransferEncoding
Header Vulnerability,
CVE-2010-2227
Medium 6.40 Fail Note to scan customer: An HTTP response splitting/header injection vulnerability violates PCI
DSS and is considered an automatic failing condition.
3 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Default
Configuration Does Not Use
httpOnly Cookies, CVE-2010-
4312
Medium 6.40 Fail
4 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Request
Smuggling and Denial of Service
Vulnerability, CVE-2014-0227
Medium 6.40 Fail Note to scan customer: An HTTP response splitting/header injection vulnerability violates PCI
DSS and is considered an automatic failing condition.
5 23.91.123.36
(angelwineclub.co
m)
Unencrypted Communication
Channel Accessibility
Medium 6.20 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. Unencrypted communication channels violate
Requirement 4 of the PCI DSS and are considered an automatic
failing condition.
6 23.91.123.36
(angelwineclub.co
m)
Unencrypted Communication
Channel Accessibility
Medium 6.20 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. Unencrypted communication channels violate
Requirement 4 of the PCI DSS and are considered an automatic
failing condition.
7 23.91.123.36
(angelwineclub.co
m)
RDP Weak Encryption Supported Medium 6.10 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database.
8 23.91.123.36
(angelwineclub.
Basic Authentication over HTTP Medium 6.10 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. Unencrypted communication channels violate
Confidential Information: This document may contain information that is privileged, confidential or otherwise protected
from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without
prior permission of Trustwave and ANGELWINECLUB COM.
Copyright © 2015 Trustwave Holdings, Inc., All rights reserved.
Page 4 of 126
Report Date: 2015-10-22
Vulnerability Scan Report: Executive Summary
# IP Address Vulnerabilities Noted Severity CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability
com) Requirement 4 of the PCI DSS and are considered an automatic failing condition.
9 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat WAR
Deployment Multiple
Vulnerabilities, CVE-2009-2693
CVE-2009-2901 CVE-2009-2902
Medium 5.80 Fail
10 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat HTTP Header
Parsing Vulnerability, CVE-2013-
4286
Medium 5.80 Fail Note to scan customer: An HTTP response splitting/header injection vulnerability violates PCI
DSS and is considered an automatic failing condition.
11 23.91.123.36
(angelwineclub.co
m)
SSLv3 Supported, CVE-2014-
3566
Medium 5.00 Fail Note to scan customer: SSL v3.0 violates PCI DSS and is considered an automatic failing
condition.
12 23.91.123.36
(angelwineclub.co
m)
TLSv1.0 Supported Medium 5.00 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.
13 23.91.123.36
(angelwineclub.co
m)
OpenSSL 'Heartbleed' Data
Leakage Vulnerability, CVE-
2014-0160
Medium 5.00 Fail
14 23.91.123.36
(angelwineclub.co
m)
SSLv3 Supported, CVE-2014-
3566
Medium 5.00 Fail Note to scan customer: SSL v3.0 violates PCI DSS and is considered an automatic failing
condition.
15 23.91.123.36
(angelwineclub.
TLSv1.0 Supported Medium 5.00 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
Confidential Information: This document may contain information that is privileged, confidential or otherwise protected
from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without
prior permission of Trustwave and ANGELWINECLUB COM.
Copyright © 2015 Trustwave Holdings, Inc., All rights reserved.
Page 5 of 126
Report Date: 2015-10-22
Vulnerability Scan Report: Executive Summary
# IP Address Vulnerabilities Noted Severity CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability
com) failing condition.
16 23.91.123.36
(angelwineclub.co
m)
OpenSSL 'Heartbleed' Data
Leakage Vulnerability, CVE-
2014-0160
Medium 5.00 Fail
17 23.91.123.36
(angelwineclub.co
m)
SSLv3 Supported, CVE-2014-
3566
Medium 5.00 Fail Note to scan customer: SSL v3.0 violates PCI DSS and is considered an automatic failing
condition.
18 23.91.123.36
(angelwineclub.co
m)
TLSv1.0 Supported Medium 5.00 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.
19 23.91.123.36
(angelwineclub.co
m)
TLSv1.0 Supported Medium 5.00 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.
20 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Weakness in
HTTP DIGEST Authentication
due to Unchecked Values, CVE-
2011-5062
Medium 5.00 Fail
21 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat HTTP Digest
Access Authentication
Implementation Vulnerability via
Not Checking Nonce Values,
CVE-2011-1184
Medium 5.00 Fail
22 23.91.123.36 Apache Tomcat Digest Access Medium 5.00 Fail
Confidential Information: This document may contain information that is privileged, confidential or otherwise protected
from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without
prior permission of Trustwave and ANGELWINECLUB COM.
Copyright © 2015 Trustwave Holdings, Inc., All rights reserved.
Page 6 of 126
Report Date: 2015-10-22
Vulnerability Scan Report: Executive Summary
# IP Address Vulnerabilities Noted Severity CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability
(angelwineclub.co
m)
Authentication Bypass via
Session Info, CVE-2012-5886
23 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Digest Access
Authentication Bypass
Restrictions, CVE-2012-5887
Medium 5.00 Fail
24 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Digest Access
Authentication Replay
Countermeasure Bypass
Restrictions, CVE-2012-5885
Medium 5.00 Fail
25 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Security
Manager Bypass Vulnerability,
CVE-2014-7810
Medium 5.00 Fail
26 23.91.123.36
(angelwineclub.co
m)
Web Application Transmits Login
Credentials Without Encryption
Medium 4.60 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. Unencrypted communication channels violate
Requirement 4 of the PCI DSS and are considered an automatic
failing condition.
27 23.91.123.36
(angelwineclub.co
m)
Web Application Transmits Login
Credentials Without Encryption
Medium 4.60 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database. Unencrypted communication channels violate
Requirement 4 of the PCI DSS and are considered an automatic
failing condition.
28 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat 'sendfile'
Request Attributes Information
Disclosure Vulnerability, CVE-
2011-2526
Medium 4.40 Fail
29 23.91.123.36 SSL/TLS Weak Encryption Medium 4.30 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Confidential Information: This document may contain information that is privileged, confidential or otherwise protected
from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without
prior permission of Trustwave and ANGELWINECLUB COM.
Copyright © 2015 Trustwave Holdings, Inc., All rights reserved.
Page 7 of 126
Report Date: 2015-10-22
Vulnerability Scan Report: Executive Summary
# IP Address Vulnerabilities Noted Severity CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability
(angelwineclub.co
m)
Algorithms, CVE-2013-2566
CVE-2015-2808
Database.
30 23.91.123.36
(angelwineclub.co
m)
SSL/TLS Weak Encryption
Algorithms, CVE-2013-2566
CVE-2015-2808
Medium 4.30 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database.
31 23.91.123.36
(angelwineclub.co
m)
SSL/TLS Weak Encryption
Algorithms, CVE-2013-2566
CVE-2015-2808
Medium 4.30 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database.
32 23.91.123.36
(angelwineclub.co
m)
SSL/TLS Weak Encryption
Algorithms, CVE-2013-2566
CVE-2015-2808
Medium 4.30 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database.
33 23.91.123.36
(angelwineclub.co
m)
RDP SSL/Hybrid Mode Supported
but Not Enforced
Medium 4.30 Fail Note to scan customer: This vulnerability is not recognized in the National Vulnerability
Database.
34 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Weakness in
HTTP DIGEST Authentication
due to Hard-Coded Server
Secret, CVE-2011-5064
Medium 4.30 Fail
35 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat HTTP Digest
Access Authentication
Implementation Vulnerability via
Not Checking Realm Values,
CVE-2011-5063
Medium 4.30 Fail
36 23.91.123.36
(angelwineclub.
Apache Tomcat Cross-site
Request Forgery Bypass, CVEMedium
4.30 Fail Note to scan customer: A cross-site scripting vulnerability violates PCI DSS and is considered an automatic failing condition.
Confidential Information: This document may contain information that is privileged, confidential or otherwise protected
from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without
prior permission of Trustwave and ANGELWINECLUB COM.
Copyright © 2015 Trustwave Holdings, Inc., All rights reserved.
Page 8 of 126
Report Date: 2015-10-22
Vulnerability Scan Report: Executive Summary
# IP Address Vulnerabilities Noted Severity CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability
com) 2012-4431
37 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat setUserPrincipal
Form Security Bypass, CVE-
2012-3546
Medium 4.30 Fail
38 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Information
Disclosure via External XML
Entities, CVE-2014-0096
Medium 4.30 Fail
39 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat HTTP Request
Smuggling Vulnerability, CVE-
2014-0099
Medium 4.30 Fail
40 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Internals
Information Disclosure
Vulnerability, CVE-2013-4590
Medium 4.30 Fail
41 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Javadoc Frame
Injection Vulnerability, CVE-
2013-1571
Medium 4.30 Fail
42 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat Information
Disclosure via XML Parser, CVE-
2014-0119
Medium 4.30 Fail
43 23.91.123.36
(angelwineclub.co
m)
Apache Tomcat 6.0.12 through
6.0.29 and 7.0.x Prior to 7.0.5
Multiple Cross-Site Scripting
Vulnerabilities, CVE-2010-4172
Medium 4.30 Fail Note to scan customer: A cross-site scripting vulnerability violates PCI DSS and is considered
an automatic failing condition.
