Vulnerability Scan Result
| Title: | The essential portal for Mortgage and Financial Intermediaries |
| Description: | No description found |
| IP address | 138.201.128.36 |
| Country | DE  |
| AS number | AS24940 |
| Net name | Hetzner Online GMBH |
21/tcp | ftp | Microsoft ftpd |
25/tcp | smtp | MailEnable smtpd |
53/tcp | domain | Simple DNS Plus |
80/tcp | http | Microsoft IIS httpd 10.0 |
110/tcp | pop3 | MailEnable POP3 Server |
135/tcp | msrpc | Microsoft Windows RPC |
143/tcp | imap | MailEnable imapd |
443/tcp | https | |
465/tcp | smtp | MailEnable smtpd |
993/tcp | imap | |
995/tcp | pop3 | MailEnable POP3 Server |
8443/tcp | https | Microsoft IIS httpd 10.0 |
| Software / Version | Category |
|---|---|
| Microsoft Clarity 0.7.62 | Analytics |
| FancyBox 2.1.5 | JavaScript libraries |
| jQuery Migrate | JavaScript libraries |
| core-js 3.38.1 | JavaScript libraries |
| Google Analytics GA4 | Analytics |
| Google Font API | Font scripts |
| jQuery 1.9.1 | JavaScript libraries |
| lit-element 4.1.1 | JavaScript libraries |
| lit-html 3.2.1 | JavaScript libraries |
| Google Maps | Maps |
| Windows Server | Operating systems |
| Modernizr 2.8.3 | JavaScript libraries |
| Open Graph | Miscellaneous |
| Spin.js | JavaScript libraries |
| PWA | Miscellaneous |
| Microsoft ASP.NET 4.0.30319 | Web frameworks |
| Google Tag Manager | Tag managers |
| IIS 10.0 | Web servers |
| Plesk | Hosting panels |
Web Application Vulnerabilities
Evidence
| URL | Cookie Name | Evidence |
|---|---|---|
| https://www.cherryplc.co.uk/industry/ | ASP.NET_SessionId | Set-Cookie: ASP.NET_SessionId=a22c1gdrblohne1ic4auxqhl |
Vulnerability description
We found that a cookie has been set without the <code>Secure</code> flag, which means the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. The root cause for this usually revolves around misconfigurations in the code or server settings.
Recommendation
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
Classification
| CWE | CWE-614 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| Risk Level | CVSS | CVE | Summary | Affected software |
|---|---|---|---|---|
| 4.3 | CVE-2015-9251 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | jquery 1.9.1 | |
| 4.3 | CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. | jquery 1.9.1 | |
| 4.3 | CVE-2020-11023 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | jquery 1.9.1 | |
| 4.3 | CVE-2020-11022 | In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | jquery 1.9.1 |
Vulnerability description
We noticed known vulnerabilities in the target application based on the server responses. They are usually related to outdated systems and expose the affected applications to the risk of unauthorized access to confidential data and possibly denial of service attacks. Depending on the system distribution the affected software can be patched but displays the same version, requiring manual checking.
Recommendation
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest version.
Classification
| CWE | CWE-1026 |
| OWASP Top 10 - 2017 | A9 - Using Components with Known Vulnerabilities |
| OWASP Top 10 - 2021 | A6 - Vulnerable and Outdated Components |
Evidence
| URL | Evidence |
|---|---|
| https://www.cherryplc.co.uk/industry/ | Response headers do not include the HTTP Strict-Transport-Security header |
Vulnerability description
We noticed that the target application lacks the HTTP Strict-Transport-Security header in its responses. This security header is crucial as it instructs browsers to only establish secure (HTTPS) connections with the web server and reject any HTTP connections.
Recommendation
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows: `Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]` The parameter `max-age` gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. A value below 7776000 is considered as too low by this scanner check. The flag `includeSubDomains` defines that the policy applies also for sub domains of the sender of the response.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://www.cherryplc.co.uk/industry/ | Response does not include the HTTP Content-Security-Policy security header or meta tag |
Vulnerability description
We noticed that the target application lacks the Content-Security-Policy (CSP) header in its HTTP responses. The CSP header is a security measure that instructs web browsers to enforce specific security rules, effectively preventing the exploitation of Cross-Site Scripting (XSS) vulnerabilities.
Recommendation
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://www.cherryplc.co.uk/industry/ | Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response. |
Vulnerability description
We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.
Recommendation
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://www.cherryplc.co.uk/industry/ | Response headers do not include the X-Content-Type-Options HTTP security header |
Vulnerability description
We noticed that the target application's server responses lack the <code>X-Content-Type-Options</code> header. This header is particularly important for preventing Internet Explorer from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header.
Recommendation
We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| Software / Version | Category |
|---|---|
| Microsoft Clarity 0.7.62 | Analytics |
| FancyBox 2.1.5 | JavaScript libraries |
| jQuery Migrate | JavaScript libraries |
| core-js 3.38.1 | JavaScript libraries |
| Google Analytics GA4 | Analytics |
| Google Font API | Font scripts |
| jQuery 1.9.1 | JavaScript libraries |
| lit-element 4.1.1 | JavaScript libraries |
| lit-html 3.2.1 | JavaScript libraries |
| Google Maps | Maps |
| Windows Server | Operating systems |
| Modernizr 2.8.3 | JavaScript libraries |
| Open Graph | Miscellaneous |
| Spin.js | JavaScript libraries |
| PWA | Miscellaneous |
| Microsoft ASP.NET 4.0.30319 | Web frameworks |
| Google Tag Manager | Tag managers |
| IIS 10.0 | Web servers |
| Plesk | Hosting panels |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
Vulnerability description
We found the robots.txt on the target server. This file instructs web crawlers what URLs and endpoints of the web application they can visit and crawl. Website administrators often misuse this file while attempting to hide some web pages from the users.
Recommendation
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex. administration panels, configuration files, etc).
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Vulnerability description
Website is accessible.
Evidence
Vulnerability description
We have noticed that the server is missing the security.txt file, which is considered a good practice for web security. It provides a standardized way for security researchers and the public to report security vulnerabilities or concerns by outlining the preferred method of contact and reporting procedures.
Recommendation
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Infrastructure Vulnerabilities
Evidence
| Risk level | CVSS | CVE | Summary | Exploit |
|---|---|---|---|---|
| 5 | CVE-2020-27511 | An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Regular Expression Denial of Service (ReDOS) through stripping crafted HTML tags. | N/A |
Vulnerability description
Vulnerabilities found for Prototype 1.7.3
Recommendation
We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpdVulnerability description
We found that the File Transfer Protocol (FTP) service is publicly accessible. The FTP enables client systems to connect to upload and download files. Nonetheless, FTP lacks encryption for the data exchanged between the server and the client, leaving all transferred data exposed in plaintext.
Recommendation
We recommend turning off FTP access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the FTP service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, utilizing SFTP (Secure File Transfer Protocol) is recommended as this protocol employs encryption to secure data transfers.
Starting Nmap ( https://nmap.org ) at 2025-01-13 17:20 EET
Nmap scan report for www.cherryplc.co.uk (138.201.128.36)
Host is up (0.022s latency).
rDNS record for 138.201.128.36: zinc.zarbi.co.uk
PORT STATE SERVICE VERSION
110/tcp open pop3 MailEnable POP3 Server
|_pop3-capabilities: USER UIDL TOP
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
Vulnerability description
We found that the Post Office Protocol (POP3) service is publicly accessible and doesn’t include STARTTLS capability. Email clients use the Post Office Protocol (POP) to download emails for user accounts. Some POP servers are initially set up to operate over an unsecured protocol. When email clients download email content through this plaintext protocol, it can pose a substantial risk to the organization's network, especially depending on which user account is set to receive the emails.
Recommendation
We recommend turning off POP3 access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the POP3 service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, activating STARTTLS capability (switching the connection to a secure communication) or utilizing Secure POP3 (POP3S) is recommended, as this protocol employs encryption.
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPCVulnerability description
We found that the Windows Remote Procedure Call (RPC) service is publicly accessible. RPC is a protocol that one program can use to request a service from a program located on another computer in a network.
Recommendation
We recommend turning off RPC access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the RPC service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall.
Starting Nmap ( https://nmap.org ) at 2025-01-13 17:20 EET
Nmap scan report for www.cherryplc.co.uk (138.201.128.36)
Host is up (0.023s latency).
rDNS record for 138.201.128.36: zinc.zarbi.co.uk
PORT STATE SERVICE VERSION
995/tcp open ssl/pop3 MailEnable POP3 Server
|_pop3-capabilities: USER TOP UIDL
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.83 seconds
Vulnerability description
We found that the Post Office Protocol (POP3) service is publicly accessible and doesn’t include STARTTLS capability. Email clients use the Post Office Protocol (POP) to download emails for user accounts. Some POP servers are initially set up to operate over an unsecured protocol. When email clients download email content through this plaintext protocol, it can pose a substantial risk to the organization's network, especially depending on which user account is set to receive the emails.
Recommendation
We recommend turning off POP3 access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the POP3 service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, activating STARTTLS capability (switching the connection to a secure communication) or utilizing Secure POP3 (POP3S) is recommended, as this protocol employs encryption.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| www.cherryplc.co.uk | A | IPv4 address | 138.201.128.36 |
| www.cherryplc.co.uk | NS | Name server | ns3.dnsmadeeasy.com |
| www.cherryplc.co.uk | NS | Name server | ns0.dnsmadeeasy.com |
| www.cherryplc.co.uk | NS | Name server | ns1.dnsmadeeasy.com |
| www.cherryplc.co.uk | NS | Name server | ns2.dnsmadeeasy.com |
| www.cherryplc.co.uk | NS | Name server | ns4.dnsmadeeasy.com |
| www.cherryplc.co.uk | MX | Mail server | 1 mail.cherryplc.co.uk |
| www.cherryplc.co.uk | SOA | Start of Authority | ns0.dnsmadeeasy.com. dns.dnsmadeeasy.com. 2008010147 43200 3600 1209600 180 |
| www.cherryplc.co.uk | TXT | Text record | "google-site-verification=094yWSjav5OfBE4pZt2jIGWeNln38DW7BGP-YYq1W2U" |
| www.cherryplc.co.uk | SPF | Sender Policy Framework | "v=spf1 mx a ip4:109.228.6.244 include:trustedemail.co.uk ip4:5.9.30.216 include:_spf.clearbooks.co.uk -all" |
| www.cherryplc.co.uk | CNAME | Canonical name | cherryplc.co.uk |
Recommendation
We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.
Evidence
| Operating System |
|---|
| Microsoft Windows Server 2016 |
Vulnerability description
OS Detection
Recommendation
Vulnerability checks are skipped for ports that redirect to another port. We recommend scanning the redirected port directly.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| www.cherryplc.co.uk | SPF | Sender Policy Framework | "v=spf1 mx a ip4:109.228.6.244 include:trustedemail.co.uk ip4:5.9.30.216 include:_spf.clearbooks.co.uk -all" |
Evidence
| Software / Version | Category |
|---|---|
| Plesk | Hosting panels |
| Windows Server | Operating systems |
| Google Maps | Maps |
| Microsoft ASP.NET 4.0.30319 | Web frameworks |
| IIS 10.0 | Web servers |
| Microsoft Clarity 0.7.62 | Analytics |
| jQuery | JavaScript libraries |
| Google Tag Manager | Tag managers |
| Google Font API | Font scripts |
| Google Analytics GA4 | Analytics |
| PWA | Miscellaneous |
| Open Graph | Miscellaneous |
| Spin.js | JavaScript libraries |
| Modernizr 2.8.3 | JavaScript libraries |
| lit-html 3.2.1 | JavaScript libraries |
| lit-element 4.1.1 | JavaScript libraries |
| jQuery Migrate | JavaScript libraries |
| FancyBox 2.1.5 | JavaScript libraries |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Evidence
| Software / Version | Category |
|---|---|
| Plesk | Hosting panels |
| Sentry | Issue trackers |
| Windows Server | Operating systems |
| Microsoft ASP.NET | Web frameworks |
| React | JavaScript frameworks |
| RequireJS 2.3.7 | JavaScript frameworks |
| Prototype 1.7.3 | JavaScript frameworks |
| React Router 6 | JavaScript frameworks |
| IIS 10.0 | Web servers |
| core-js 3.38.1 | JavaScript libraries |
| Webpack | Miscellaneous |
| Module Federation | Miscellaneous |
| PWA | Miscellaneous |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.