These are the kind of issues that automated scanning should pick up. Given that just about every financial firm I’ve worked with has already purchased automated scanning, either they are ignoring the output, and/or they aren’t scanning the correct sites. Time to check your Qualys settings?…:
[…] ImmuniWeb said that on average, each website contained two different web software components, JS libraries, frameworks, or other third-party code. As many as 29 websites contained at least one publicly disclosed and unpatched security vulnerability that was classed as a medium or high-risk.
The oldest unpatched vulnerability detected during the research was CVE-2011-4969 impacting jQuery 1.6.1, which has been known since 2011. ImmuniWeb said the most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3), and Security Misconfiguration (OWASP A6).
“With regard to the subdomains, the situation is even more disastrous with outdated components: 81% of the subdomains that contain fingerprintable external software have outdated components and 2% contain publicly disclosed and exploitable vulnerability of medium or high risk,” the company wrote.
ImmuniWeb said 100% of the banks it looked into also had security vulnerabilities or issues related to forgotten subdomains.