UPDATE:  guessing the Magento Security Scan Tool is screwed ??

Now saying no threats ( Low ) , despite nothing having changed on the target website

Tool is also producing blank empty PDF reports

Just tested again, and the tool is once again reporting the message below.

Nothing at all changed since last scan six hours ago that stated all was OK !

Is this tool reliable , seems not …. ?

XS Vulnerability - Failed. Information Leakage
Patch not detected (APPSEC-1802) response body is
missing expected '

And recommending this:

Apply the Magento 2.0.16/2.1.9
Security Update
immediately

Hello we're the same very frustrated with this one. The site that I'm working had a staging website and on the staging website the scan result is low. And on the live it is saying something like that you guys are experiencing right now. I wonder if this is a bug on Magento Scanner.

Hello MazeStricks

Thanks for that, good to know we are not alone.

We've been running repeat tests over the last 24 hours, and all have gone back to showing LOW, this is despite nothing at all having changed ! 

This had us chasing shadows for two whole days worrying that we might have missed something.  Even did a brand new clean install of 2.3.1 and applied the 10 May 18 patch,  then compared the core files with the live sites and could not spot any differences.

The weird thing is the inconsistency of the scan results, am guessing Magento people are playing around with the scan tool maybe, do they ever read these forums and comment ?

I have the exact same issue and it started 2 days ago. Using Magento 2.3.1. Also DEV and LIVE environments of the sites have the same vulnerability even though the code has not been changed.

When I search for APPSEC-1802 I only found this:

APPSEC-1802: Customer registration through frontend does not have anti-CSRF protection

Type: Cross-Site Request Forgery (CSRF)

CVSSv3 Severity: 5.8 (Medium)

Known Attacks: None

Description:

We've added CSRF protection to the customer registration process to prevent attackers from taking over accounts.

Product(s) Affected: Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9

Fixed In: Magento 2.0.16, Magento 2.1.9

Reporter: Internal

But as I see this is fixed in 2.1.9?

Also one funny thing, on our Magento sites we have completely disabled Customer Registration from the frontend

Yeah it's very frustrating as well. I scanned many times. But the staging website does not have the same result as the live. And the staging website is a completely the same copy as the live as we all know. I think this maybe a problem to their end on their scanner. Maybe there's a bug or something. I hope you guys will find a fix for this one.

I think this was some Magento Security Team scan issue. Because I did not change anything on the servers and now all of a sudden risk is back to LOW.

So from my point of view, this is not something to worry about.

Hi MazeStricks / aki654321

We can confirm all our scans are back to normal ( LOW)

Nothing was changed !

We also observed different results when scanning the staging site with the live site, but the staging site was an exact copy of the live site, except we changed www to dev

So perhaps the results are getting cached, which is  not great, as when patches are applied you need to be able to re-scan right away to confirm any issues have been addressed.

No comments from Magento here seems to confirm they don't assist, at least in this thread / forum ?

Hello Everyone. 

Does anybody here knows what is the IP address of the Magento Security Scanner? I tried searching in my Apache logs. But I'm not sure which is which maybe you guys have some idea. 

Thanks!