Tag list and their meaning within vulnscan

There are two kind of probes performed by vulnscan. One kind is remotely checking for a known vulnerability (or CVE) with an active, innocuous and non-intrusive test. This check is based on sanitized version of public Proof-of-Concept exploit codes. Some vulnerability check can detected a specific CVE but also associated CVEs. That’s the case with proxyshell check where noting less than 3 CVEs are detected.

The other kind is based on different technics used to gather an exact version of a product. Sometimes, a product is so verbose you just have to parse HTML responses and sometimes you have to send a specific application request to gather its exact version.

First kind is called ‘check-based’ vulnerability detection, and the second one is called ‘version-based’ vulnerability detection. We always prefer to use ‘check-based’ version detection, but we have our own policy to decide whether to include a CVE check or not. ‘Version-based’ will always be the fallback choice.

To know how the CVE has been identified, you have to understand the meaning of tags.

Check-based tags

When a check is launched, there are three possibilities as a result:

We avoid the last possibility to the maximum extent possible. There is only one such case today with the proxynotshell check.

Thus, corresponding tags are set:


Version-based tags

On version detection cases, there are five possibilities as a result:

Corresponding tags are set:


Other tags

There are many other tags, but the most important are as follows:

Of course, if there is a CVE field in the result, you will know which vulnerability has been identified on the device.