Skip to main content

Vulnerability Database

Simple Vulnerability Manager includes an extensive database containing the most recognized vulnerabilities that computer systems can suffer. The database is organized into four primary categories based on assessment methodology: Web Scanners, Service Scanners, Static Scanners, and Mobile.

Database Overview

The vulnerability database provides a comprehensive knowledge base for security assessments:
  • Extensive Coverage: Most recognized vulnerabilities across multiple platforms
  • Categorized Organization: Grouped by scanner type for easy navigation
  • Detailed Information: Each vulnerability includes description, impact, and remediation
  • Regular Updates: Knowledge base receives updates with new vulnerabilities
  • Multi-language Support: Available in English, Spanish, and Russian
The vulnerability database was significantly expanded in version 1.1.791 with many new translated vulnerabilities added to the knowledge base.

Vulnerability Categories

Web Scanners

Web scanner vulnerabilities target web applications and include common issues found by tools like Acunetix, Burp Suite, Netsparker, and Arachni.
Web scanner vulnerabilities typically include:
  • Injection Flaws: SQL injection, command injection, LDAP injection
  • Cross-Site Scripting (XSS): Reflected, stored, and DOM-based XSS
  • Authentication Issues: Weak credentials, broken authentication mechanisms
  • Session Management: Session fixation, weak session IDs
  • Access Control: Broken authorization, privilege escalation
  • Security Misconfigurations: Default credentials, unnecessary features enabled
  • Sensitive Data Exposure: Unencrypted data, weak cryptography
  • CSRF: Cross-Site Request Forgery vulnerabilities
  • Component Vulnerabilities: Outdated libraries, known vulnerable components
Each vulnerability entry includes:
  • Brief description explaining what creates the problem
  • Impact assessment on the system
  • Step-by-step remediation instructions
SVM integrates with industry-leading web vulnerability scanners:
Acunetix Support
  • Version 10.5: Local scanning support
  • Version 11: Enterprise API scanning (added in version 1.1.792)
  • Quick Launch: Execute scans with a single click
  • Target Management: Automatic target creation from project web addresses
Acunetix 11 requires Enterprise license and uses API-based scanning. Legacy Acunetix 10.5 remote support was removed in version 1.1.792.

Service Scanners

Service scanner vulnerabilities cover network services, operating systems, and infrastructure issues detected by tools like Qualys, Nessus, OpenVAS, and Nmap.
Service scanner vulnerabilities include:
  • Network Services: Vulnerable protocols and services (SMB, FTP, SSH, etc.)
  • Operating System Flaws: OS-level vulnerabilities and missing patches
  • Configuration Issues: Weak configurations, unnecessary services
  • Missing Updates: Unpatched systems and outdated software
  • SSL/TLS Issues: Weak ciphers, certificate problems, protocol vulnerabilities
  • Default Credentials: Factory default passwords still in use
  • Information Disclosure: Banner grabbing, version exposure
  • Denial of Service: DoS vulnerabilities in network services
Qualys Integration
  • Community Edition: Free tier support
  • Enterprise Edition: Full enterprise features
  • Configuration Import: Automatically import scan configurations from Qualys
  • Private IP Limitation: External Qualys cannot scan private IP addresses
Qualys External scanning does not support private IP addresses (e.g., 192.168.x.x, 10.x.x.x). Use internal scanners or Qualys Private Cloud for internal network assessments.

Static Scanners

Static analysis vulnerabilities focus on source code issues and application security flaws found through static code analysis.
Fortify IntegrationSVM includes support for Fortify static analysis results:
  • Import Fortify scan results
  • Vulnerability renaming capabilities (fixed in version 2.1.1)
  • Source code security issues
  • Code quality and security best practices
Static analysis vulnerabilities typically include:
  • Buffer overflows and memory issues
  • Injection vulnerabilities in code
  • Cryptographic weaknesses
  • Poor error handling
  • Insecure configurations in code

Mobile Vulnerabilities

Mobile scanner vulnerabilities specifically target Android and iOS applications, focusing on mobile-specific security issues.
Mobile vulnerabilities include:
  • Insecure Data Storage: Sensitive data stored without encryption
  • Weak Cryptography: Poor encryption implementations
  • Insecure Communication: Unencrypted network traffic
  • Improper Platform Usage: Misuse of mobile OS features
  • Code Quality: Reverse engineering vulnerabilities
  • Authentication/Authorization: Mobile-specific auth issues
  • Client Code Quality: Hardcoded secrets, debug code
SVM integrates with comprehensive Android security testing tools:
Mobile Application Analysis
  • ApkTools (v2.4.0): APK decompilation and recompilation
  • Enjarify: Convert APK to JAR for analysis
  • JD-Gui (v1.5.2): Java decompiler for source code review
Tool versions were updated in version 2.1.0 to the latest stable releases.

Using the Vulnerability Database

Adding Vulnerabilities to Projects

1

Select Vulnerability Category

Choose the appropriate scanner category based on your assessment:
  • Web Scanners for web application testing
  • Service Scanners for network and infrastructure
  • Static Scanners for code analysis results
  • Mobile for Android/iOS application testing
2

Browse Available Vulnerabilities

Review the list of available vulnerabilities in each category.Each entry displays:
  • Vulnerability name and identifier
  • Risk level (Critical, High, Medium, Low, Informational)
  • Brief description
3

Add to Project

Select vulnerabilities detected during your assessment and add them to the active project.
4

Customize Details

For each added vulnerability:
  • Add project-specific context and comments
  • Attach screenshots as evidence
  • Include request/response data
  • Document specific impact for the client
5

Rename if Needed

Customize vulnerability names to match your reporting standards using the toolbar rename function (available for all categories).

Vulnerability Information Structure

Each vulnerability in the database contains three key sections:
What Creates the ProblemA brief technical description explaining:
  • The nature of the vulnerability
  • How it occurs in systems
  • Technical conditions that create the flaw
  • Common causes and configurations

Risk Classification

Vulnerabilities are classified by risk level with customizable color coding:
  • Critical: Immediate attention required, active exploitation possible
  • High: Significant risk, should be addressed urgently
  • Medium: Moderate risk, address in normal remediation cycle
  • Low: Minor issues, address when convenient
  • Informational: No direct security impact, awareness only
Risk colors can be customized in the configuration settings. Since version 2.0.0, you can assign custom colors to each risk level and apply different Word table styles per risk category.

Reconnaissance and Information Gathering Tools

SVM includes tools for information gathering that help identify potential vulnerabilities:
Recon-ng IntegrationWeb reconnaissance framework for information gathering:
  • Domain enumeration and subdomain discovery
  • Certificate transparency checks (added in version 2.0.1)
  • Google site web searches
  • HackerTarget integration
  • ThreatCrowd intelligence
  • SHODAN API integration
  • IPInfoDB lookups
Domains can be entered without specifying the protocol when using Recon-ng. API keys for services like SHODAN and IPInfoDB can be configured in the settings.
EyeWitness Screenshot Tool
  • Automated web application screenshots
  • HTTP/HTTPS service identification
  • Remote installation support
  • Report retrieval and integration
EyeWitness helps document the visual state of web applications during assessments.

Database Management

Knowledge Base Updates

The vulnerability database receives periodic updates:
  • New vulnerabilities added as they are discovered
  • Existing entries refined with better remediation guidance
  • Multi-language translations (English, Spanish, Russian)
  • Version 1.1.791 included a major knowledge base update
Starting from version 2.1.0, SVM includes an update feature in Tools menu to update all scripts and internal tools, keeping your security tool integration current.
You can customize the vulnerability database:
  • Rename vulnerabilities to match your organization’s taxonomy
  • Add custom comments and descriptions
  • Create project-specific vulnerability variants
  • Maintain consistency across multiple assessments

Exporting and Reporting

Export Capabilities

Export vulnerability data to Excel for analysis:
  • Complete project vulnerability lists
  • Filtered by risk level (including Critical vulnerabilities - fixed in version 2.1.0)
  • Search results from the vulnerability browser
  • Comprehensive data export for external processing
Excel export requires Microsoft Excel to be installed on your system. Proper error handling was added in version 2.0.2.

Language Support

The vulnerability database supports multiple languages:
  • English: Full vulnerability descriptions and remediation
  • Spanish: Complete translation (original language)
  • Russian: Added in version 2.1.0
Full Unicode support (version 2.1.0) ensures proper display of all characters across all supported languages.