PCI Scan Issues

[brgreene2022]

My latest PCI Scan is showing some issues. I know three of them are false positives. I am just not sure why they are showing when they have not appeared on previous scans. They may all be false positives.

False Positives (All Port 443):

1. AgoraCart - agora.cgi cart_Id Parameter XSS (CVE-2001-1199)
2. Fag-O-Matic fom.cgi Multiple Parameter XSS (CVE-2002-0230 / CVE-2002-2011)
3. Pinnacle ShowCenter SettingsBase.php Skin Parameter XSS (CVE-2004

Questions:

1. CPE Based Vulnerabilities for Exim smtpd 4.95 (Port 465 / Port 587) (CVE-2020-28017) . I am running EXIM Version 4.95

2. CGI Generic XSS (comprehensive test) - It is relating to my Woocommerce 'add-to-cart' parameter. I wonder if this also related to what is causing the false positives for the other XSS items.

The remote web server hosts CGI scripts that fail to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non-persistent' or 'reflected'. See also : Cross-site scripting - Wikipedia Results, Unicode Left/Right Pointing Double Angel Quotation Mark The Web Application Security Consortium / Cross Site Scripting


Any assistance would be appreciated.

 

[cPRex]

Hey there! It also looks like the Exim notification is a false-positive since CVE-2020-28017 only applied to Exim versions 4.94.2 or earlier. Here are some more details on this:

CVE - CVE-2020-28017

cve.mitre.org

Any cross-site scripting errors would need to be evaluated at the application level, as cPanel and Apache do not have any control over that area of the code.