| Dokumendiregister | Riigi Infosüsteemi Amet |
| Viit | 9-3/25-0089/2696 |
| Registreeritud | 15.01.2026 |
| Sünkroonitud | 16.01.2026 |
| Liik | Väljaminev kiri |
| Funktsioon | 9 Küberturvalisuse valdkonna teenuste korraldamine |
| Sari | 9-3 Riigi infosüsteemi turbe teemaline kirjavahetus |
| Toimik | 9-3/25-0089 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Justiits- ja Digiministeerium |
| Saabumis/saatmisviis | Justiits- ja Digiministeerium |
| Vastutaja | Intsidentide käsitlemise osakond |
| Originaal | Ava uues aknas |
Pärnu mnt 139a / 15169 Tallinn / 663 0200 / [email protected] / www.ria.ee /
registrikood 70006317
Natalja Zinovjeva
Justiits- ja Digiministeerium
Meie 15.01.2026 nr 9-3/25-0089/2696
Riigiasutuste infosüsteemide keskse turvatestimise raportid
Austatud Natalja Zinovjeva
Ettevõtlus- ja infotehnoloogiaministri 13.05.2022 käskkirja nr 127 ja digiarengu asekantsleri
05.04.2024 otsuse nr 24.8-4/S/954-1 alusel esitame Riigi Infosüsteemi Ameti poolt teostatud
riigiasutuste infosüsteemide keskse turvatestimise 21 raportit, mis sisaldavad teavet
infosüsteemide testimisest ja sellega kaasnevatest ressursikuludest.
Lugupidamisega
(allkirjastatud digitaalselt)
Joonas Heiter
peadirektor
Lisa: Turvatestid
Andres Klemm
53402624 [email protected]
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 1
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 13.02.2024 - 28.02.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats
Approach: White box testing using existing non-privileged user account and access to source code. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Authentication flaws with low, medium and high impact. Session management flaws low, medium and high impact. Input validation flaw with high impact. Cryptography flaw with high impact. Configuration flaws with low, medium and high impact.
Summary of Penetration Testing Findings according to CVSS 3.1
3 findings with critical impact 5 findings with high impact 7 findings with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
79 Input Validation High High None 9.3 Critical Calculation
287 Authentication High High None 9.6 (Critical) Calculation
304 Authentication None Medium Low 5.4 (Medium) Calculation
326 Cryptography High High None 9.6 (Critical)
Calculation
497, 200 Configuration Low None None 3.7 (Low) Calculation (Environmental variables)
522, 798 Configuration High Low None 8.9 (High) Calculation (Tem poral variables)
613 Session Management High Medium None 8.2 (High) Calculation
613 Session Management Low Low None 4.6 (Medium) Calculation
614, 1004, 16 Session Management High Medium None 8.2 (High) Calculation
620 Authentication None High None 7.4 (High) Calculation
620 Authentication None Medium None 4.1 (Medium) Calculation
778 Session Management High High None 8.1 (High) Calculation
862 Authorization Low Medium None 5.4 (Medium) Calculation
1021, 116, 523 Configuration None Medium None 4.5 (Medium) Calculation
1026 Configuration None Medium None 6.7 (Medium) Calculation (Environmental Variables)
- Configuration Low Low Low 4.5 (Medium) Calculation (Environmental Variables)
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 10
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 30.04.2024 – 02.05.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: White box testing with access to source code and configuration. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Files and resources flaw with low impact. Configuration flaw with low impact.
Summary of Penetration Testing Findings according to CVSS 3.1
3 findings with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact CVSS 3.1 Score
862 Access control None None Medium
4.4 Medium (Environmental metrics) Calculation
200 Files and Resources Low Low Low
5.6 Medium (Environmental metrics) Calculation
1021 Configuration Low Low Low 5.7 Medium (Temporal metrics) Calculation
Configuration Info Info Info None
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 11
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 30.05.2024 – 20.06.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: White box testing using existing non-privileged user account and access to source code. Sco e: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Input validation flaws with medium and high impact. Configuration flaws with medium and high impact. Authentication flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
3 findings with high impact 6 findings with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact CVSS 3.1 Score
95 Input Validation High High High 8.5 High Calculation
502 Input Validation High High High 8.5 High Calculation
79 Input Validation Medium Medium Low 5.5 Medium Calculation
79 Input Validation Medium Medium Low 5.5 Medium Calculation
79 Input Validation Medium Medium Low 5.5 Medium Calculation
116 Input Validation Medium Medium Low 5.5 Medium Calculation
200 Configuration High Low None 8.5 High Calculation
1021, 116
Configuration Medium Medium Low 5.4 Medium Calculation
521 Authentication Medium None Low
5.9 Medium (Environmental metrics) Calculation
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 12
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 08.05.2024 – 12.07.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats
Approach: White box testing using existing non-privileged user account and access to source code. Privileged account for final testing. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Authentication flaw with medium impact. Configuration flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
287 Authentication Low Low Low
6.6 Medium (Temporal & environmental metrics) Calculation
420 Configuration None Low Low
6.2 Medium (Temporal metrics) Calculation
Comprehensive security test – penetration test Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 13
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 30.04.2024 – 28.06.2024 Objective of the Penetration Testing
Detect vulnerabilities in external and internal perimeter.
Approach, Scope and Caveats
Approach: Physical and IT penetration test
Penetration Testing Team Organisation Penetration Testing Tools Used
Summary of the penetration test performed
Procedural flaws with medium impact, authentication flow with low impact
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with medium impact 1 finding with low impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Reports exchanged between the and Fixing activities
are pending. Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
358 Procedure High High High
6.3 Medium (Temporal metrics) Calculation
1263 Procedure High High High
6.3 Medium (Temporal metrics) Calculation
1263, 287 Authentication Low None None 2.4 Low (Temporal metrics) Calculation
Comprehensive security test – penetration test Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 14
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 10.05.2024 - 28.06.2024 Objective of the Penetration Testing
Detect vulnerabilities in external and internal perimeter.
Approach, Scope and Caveats
Approach: Physical and IT penetration test
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Authentication flaw with high impact. Configuration flaw with high impact. Procedure flaw with medium impact. Authorization flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with High impact 2 findings with Medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Reports exchanged between the and Fixing activities
are pending. Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
1263, 287 Authentication High High Medium 7.2 High (Base metrics) Calculation
1263 Configuration High High Low 7.1 High (Base metrics) Calculation
1263, 358 Procedure High Medium High 6.9 Medium (Temporal metrics) Calculation
612 Authorization Medium None None 5.0 Medium (Base metrics) Calculation
Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 15
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 07.08.2024 – 19.08.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats
Approach: Gray box testing with access to software documentation. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Access control flaws with medium impact. Session management flaw with info impact.
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with medium impact 1 finding with info impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact
CVSS 3.1 Score
16 Session Management Info Info Info None
352 Access Control None Medium Medium 6.5 (Medium) Calculation
352 Access Control None Medium Medium 6.5 (Medium) Calculation
Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 16
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 17.07.2024 – 30.10.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: Gray box testing with access to software documentation. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
3 configuration flaws with high impact. 4 input validation flaws with high impact. 1 session management flaw with high impact. 1 error handling flaw with medium impact. 1 configuration flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
8 findings with high impact 2 finding with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
200 Configuration High None None
8.6 High (Temporal metrics) Calculation
502 Input Validation High High High 9.0 Critical Calculation
326 Cryptography at Rest High None None
7.6 High (Temporal metrics) Calculation
210 Error Handling Low None None 4.1 Medium Environ Calculation
79 Input Validation High High None
9.3 Critical (Temporal metrics) Calculation
79 Input Validation High High None
9.3 Critical (Temporal metrics) Calculation
79 Input Validation High High None
9.3 Critical (Temporal metrics) Calculation
614, 1004 Session Management High High None
8.9 High (Temporal metrics) Calculation
- Configuration None None Medium 5.8 Medium Env Calculation
1026 Configuration Medium Medium Medium 7.0 High Env Calculation
Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 17
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 11.11.2024 – 20.11.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: Gray box testing with access to software documentation. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
1 Configuration flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
1 finding with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact
CVSS 3.1 Score
1395 Configuration Medium Medium Medium 5.0 Medium
Calculation
Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 18
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 16.12.2024 – 31.12.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: Gray box testing with access to software documentation. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
1 error handling and logging flaw with low impact. 1 file upload flaw with medium impact. 1 input validation flaw with low impact
Summary of Penetration Testing Findings according to CVSS 3.1
1 finding with low impact 2 findings with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Re ort handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact
CVSS 3.1 Score
210 Error Handling and Logging
Low None None
3.5 Low (Environmental variables) Calculation
434,22, 770 File Upload Medium Medium Medium
5.8 Medium (Temporal variables) Calculation
159 Input Validation None Low None 4.3 Medium Calculation
Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 19
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 25.11.2024 – 31.12.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: Gray box testing with access to software documentation. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Authentication flaw with medium impact. Authentication flaw with low impact. Input validation flaw with low impact. Configuration flaw with low impact.
Summary of Penetration Testing Findings according to CVSS 3.1
1 findings with high impact 3 finding with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact
CVSS 3.1 Score
540, 1002
Authentication Medium Medium Medium 8.1 High Calculation
330 Authentication Low Low None 6.5 Medium Calculation
20 Input Validation Low Low Low 5.0 Medium Calculation
1021 Configuration Low Low Low 4.4 Medium (Temporal metrics) Calculation
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 2
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 11.01.2024 – 24.01.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats
Approach: White box testing using existing non-privileged user account and access to source code. Privileged account for final testing. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Input validation flaw with high impact. Session management flaws with medium impact. Error handling flaw with medium impact. Configuration flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
1 finding with high impact 4 findings with medium impact 1 finding with low impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
613 Session management Medium Medium None 4.6 (Medium) Calculation
820 Session management None Low Medium 3.5 (Low) Calculation
943 Input validation High None Low 7.1 (High) Calculation
209 Error handling and logging
Medium None None
4.6 (Medium) Calculation (Temporal Variables)
799 Business logic None None Medium 5.3 (Medium) Calculation
1395 Configuration Medium None Low 6.5 (Medium) Calculation
79 Configuration Medium Medium None 4.6 (Medium) Calculation
Comprehensive security test – penetration test Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 20
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 10.05.2024 - 28.06.2024 Objective of the Penetration Testing
Detect vulnerabilities in external and internal perimeter.
Approach, Scope and Caveats
Approach: Physical and IT penetration test
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
2 Authentication flaws with high impact. Configuration flaw with high impact. 2 Authorization flaws with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
3 findings with High impact 2 findings with Medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Reports exchanged between the and Fixing activities
are pending. Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact
CVSS 3.1 Score
1263, 287 Authentication High High Medium 7.2 High (Base metrics) Calculation
286 Authentication High High High 7.2 High (Base metrics) Calculation
1263 Configuration High High Low 7.1 High (Base metrics) Calculation
612 Authorization Medium None None 5.0 Medium (Base metrics) Calculation
863 Authorization Medium Medium Medium 4.4 Medium (Base metrics) Calculation
Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 21
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 25.11.2024 – 19.12.2024 Objective of the Penetration Testing
Detect vulnerabilities in windows active directory and windows infrastructure using Mitre Att&ck framework.
Approach, Scope and Caveats Approach: Gray box testing with access to documentation.
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
1 Credential Access flaw with critical impact. 5 Credential Access flaws with high impact. 4 Credential Access flaw with medium impact. 2 User Account management flaws with medium impact., 1 User Account management flaw with high impact. 2 Active Directory configuration flaws with low impact. 2 Active Directory configuration flaws with medium impact. 1 Software update flaw with high impact. 1 Software update flaw with medium impact. 1 Privileged access management flaw with high impact 1 Privileged access management flaw with medium impact 1 Privileged process integrity flaw with medium impact. 1 Auditing flaw with low impact.
Summary of Penetration Testing Findings according to CVSS 3.1
1 finding with critical impact 8 finding with high impact 11 finding with medium impact 3 finding with low impact 6 finding with informational level
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
CWE ID MITRE Reference Confidentiality Impact
Integrity Impact
Accessibility Impact CVSS 3.1 Score
327 T1558.004 High High High 9 Critical Calculation
326 T1557.001 High Medium Low 7.5 High (Environmental) Calculation
269 M1015 Low Low Low 3.9 Low Calculation
269 M1018 Low Medium Low 6.3 Medium Calculation
284 M1018 Low Low Low 4.6 Medium Calculation
300 T1557.001 Low High Low 8.2 High Calculation
841 M1018 High High High 8 High Calculation
1104 M1051 Low High Low 7.4 High (Temporal) Calculation
521 M1015 Low None Low 3.4 Low Calculation
754 M1051 Low Low Low 4.3 Medium Calculation
522 T1558.003 Medium Medium Low 5.1 Medium Calculation
732 M1015 Medium Low Low 5.1 Medium Calculation
521 T1003.004 Low Low Low 4.3 Medium Calculation
266 M1015 None None None Info
250 M1026 High High High 7.6 High Calculation
269 M1025 Medium Low Low 4.6 Medium Calculation
263 M1026 High Low High 6.4 Medium Calculation
732 M1015 Medium Low Low 5.1 Medium Calculation
276 M1015 None None None Info
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
620 T1558.001 High High High 8 High Calculation
778 M1026 None None None Info
778 M1047 Low Low None 3.7 Low
276 T1557.001 High High High 8.8 High Calculation
347 T1557 Low Medium Low 5.1 Medium Calculation
300 T1557 High High High 8.1 High Calculation
200 T1555.005 Medium Medium Low 5.5 Medium Calculation
266 T1110.003 None None None Info 326 T1600.001 None None None Info 778 M1047 None None None Info
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 3
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 24.01.2024 – 31.01.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats
Approach: White box testing using existing non-privileged user account and access to source code. Privileged account for final testing. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Input validation flaw with high impact. Session management flaws with medium impact. Error handling flaw with medium impact. Configuration flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
3 findings with high impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
79 XSS in file upload element label field
Medium High Low 8.2 (High) Calculation
79 XSS in radio form label field
Medium High Low 8.2 (High) Calculation
79 Potential XSS in createBadge
Informational Information al
Information al
8.2 (High) Calculation
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 4
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 24.10.2023 – 01.11.2023 Objective of the Penetration Testing
Detect vulnerabilities in new public internet kiosk solution
Approach, Scope and Caveats
Approach: Black box with unprivileged physical access
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Authentication flaws with low, medium and high impact. Session management flaws low, medium and high impact. Input validation flaw with high impact. Cryptography flaw with high impact. Configuration flaws with low, medium and high impact.
Summary of Penetration Testing Findings according to CVSS 3.1
4 findings with high impact 3 findings with medium impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
494 Download of code without integrity check
Low Low Low 4.8 (Medium) Calculation
862 Missing Authorization High High Medium 7.3 (High) Calculation
285 Improper Authorization
Critical Critical High 7.8 (High) Calculation
36 Absolute Path Traversal Low Low Low
5.3 (Medium) Calculation
36 Absolute Path Traversal Low Low Low
5.3 (Medium) Calculation
286 Incorrect User Management
High Medium Low
7.6 (High) Environmental Score Calculation
286 Incorrect User Management
Crtical Low Low
8.8 (High) Environmental Score Score
Comprehensive security test – penetration test Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 5
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 20.12.2023 - 16.01.2024 Objective of the Penetration Testing
Detect vulnerabilities in external and internal perimeter.
Approach, Scope and Caveats
Approach: Physical and IT penetration test
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Configuration flaws with low, medium and high impact. Authentication flaws with low, medium, high and critical impact.
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with critical impact 2 findings with high impact 3 findings with low impact At the time of writing the report, CVSS 3.1 was not used, therefore CVSS scores in the current report might slightly differ from the ones in the technical testing report.
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending. Hot washup meeting was held in place immediately after the end of the exercise with directly affected employees.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality
Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
612 Authorization
High None None 9.8 Critical
Calculation
1263, 287 Authentication High Low Low 7.1 High
Calculation
1263, 287 Authentication High Low Low 7.2 High
Calculation
223 Configuration Low None None 2.1 Low
Calculation
1263 Configuration Low None None 2.2 Low
Calculation
287 Authentication High None None 4.9 Medium
Calculation
1263 Configuration High Low Low 5.4 Medium
Calculation
Comprehensive security test – penetration test Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 6
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarized in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 05.02.2024 - 13.03.2024 Objective of the Penetration Testing
Detect vulnerabilities in external and internal perimeter.
Approach, Scope and Caveats
Approach: Physical and IT penetration test
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Monitoring flaws with low and high impact Authentication flaws with info, low, medium and high impact Authorization flaws with low, médium and high impact Configuration flaws with low impact
Summary of Penetration Testing Findings according to CVSS 3.1
1 finding with high impact 2 findings with medium impact 2 findings with low impact 1 finding with info impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Hotwash meeting was held after the exercise ended.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
1263 Monitoring High Low Low 7.1 High Calculation
1263 Authentication High Low Low 6.9 Medium Calculation
1263 Authorization High Low Low 6.8 Medium Calculation
1263 Configuration Low None None 2.2 Low Calculation
1263 Configuration Low None None 2.2 Low Calculation
1263 Authentication None None None 0.0 Info Calculation
Comprehensive security test – penetration test Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 7
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud
infrastructure Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information
System Authority – the test results shall be summarized in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 15.02.2024 - 03.04.2024 Objective of the Penetration Testing
Detect vulnerabilities in external and internal perimeter.
Approach, Scope and Caveats
Approach: Physical and IT penetration test
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Configuration flaws with low impact. Authentication flaws with low, medium and high impact. Procedural flaws with low, medium and high impact.
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with high impact 3 findings with medium impact 1 finding with low impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Short general feedback and detailed report was handed over to the client and advice was given on how to give effective feedback to the employees.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
Comprehensive security test – penetration test
CWE ID Section Confidentiality
Impact
Integrity Impact
Accessibility Impact
CVSS 3.1 Score
1263, 223 Authentication High High Low 7.5 High
Calculation
1263, 287 Authentication High High Low 7.2 High
Calculation
1263, 287 Procedure High High Low 6.7 Medium
Calculation
1263 Procedure High High High 6.3 Medium
Calculation
1263 Authentication Low Low Low 5.2 Medium
Calculation
1263 Configuration Low Low Low 3.7 Low
Calculation
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 8
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 09.05.2024 – 15.05.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: White box testing with access to source code and configuration. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Configuration flaw with medium impact. Cryptography at rest flaw with medium impact. Business logic flaw with low impact. Error handling and logging flaw with low impact.
Summary of Penetration Testing Findings according to CVSS 3.1
2 findings with medium impact 2 findings with low impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pending.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact CVSS 3.1 Score
1395 Configuration Medium Medium None 6.2 Medium (Temporal metrics) Calculation
326, 327 Cryptography at Rest Medium Medium None 4.4 Medium (Temporal metrics) Calculation
841 Business Logic None None Medium 3.1 Low Calculation
117 Error Handling and Logging
None Medium None 3.5 Low (Temporal metrics) Calculation
1 Comprehensive security test – penetration test
Article 35 subsection 1 clause 9 of Public Information Act: https://www.riigiteataja.ee/en/eli/503052023003/consolide; “9) information including a description of security systems, security organisations or security measures;”
COMPREHENSIVE SECURITY TEST1 No 9
BACKGROUND INFORMATION2: Related reform 3.5 Reconfiguration of basic digital services and safe transition to cloud infrastructure
Target name 58. Central security testing of public authorities’ information systems Target description Number of comprehensive security tests carried out by the Information System
Authority – the test results shall be summarised in reports. The test was financed by the European Union from the NextGenerationEU Recovery Fund.
PENETRATION TESTING INFORMATION: Date / period of testing 04.04.2024 – 19.04.2024 Objective of the Penetration Testing
Detect vulnerabilities in existing web application using OWASP framework.
Approach, Scope and Caveats Approach: White box testing using existing non-privileged user account and access to source code. Scope: OWASP ASVS 4.0.3 level 2
Penetration Testing Team Organisation Penetration Testing Tools Used Summary of the penetration test performed
Session management flaws with medium impact. Input validation flaw with medium and high impact. Cryptography flaw with medium impact. Communication security flaw with medium impact. Configuration flaws with low and medium impact. API and web services flaw with low impact. Malicious code flaw with medium impact.
Summary of Penetration Testing Findings according to CVSS 3.1
1 finding with high impact 13 findings with medium impact 1 finding with low impact
Prioritized Vulnerabilities Findings
Please see annex 1
Risk and Impact Ranked Findings
Please see annex 1
Follow-up activities Report handed over to Fixing activities are pen ng.
Annex No and name (if relevant)
Annex 1 – Findings and Impact
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
CWE ID Section Confidentiality Impact
Integrity Impact
Accessibilit y Impact CVSS 3.1 Score
16 Session management Low Medium None
6.4 Medium (Temporal variables)
Calculation
601 Input validation None Low None
3.3 Low
(Temporal variables)
Calculation
611 Input validation Medium Medium Low
7.2 High
(Temporal variables)
Calculation
116 Input validation Medium Medium Low
6.0 Medium (Environmental variables)
Calculation
310, 326, 327, 798
Cryptography Medium Low None
5.9 Medium (Temporal variables) Calculation
295 Communication security
Medium Medium Low
6.0 Medium (Temporal variables) Calculation
507 Malicious code None None Medium
5.1 Medium (Temporal variables) Calculation
650 API and web services None Low Low
4.2 Medium (Temporal variables) Calculation
497 Configuration Medium Medium None
6.0 Medium (Temporal variables) Calculation
Annex 1 – Findings and Impact
1 Comprehensive security test – penetration test
200 Configuration Low None None
4.0 Medium (Environmental variables) Calculation
1021 Configuration Medium Medium None
5.2 Medium (Temporal variables) Calculation
116 Configuration None Medium Low
5.2 Medium (Temporal variables) Calculation
523 Configuration Medium Medium Low
6.0 Medium (Temporal variables) Calculation
116 Configuration Low None None
4.1 Medium (Temporal variables) Calculation
1021 Configuration Medium Medium None
5.2 Medium (Temporal variables) Calculation