I havea doubt, why qualys give me a compliance to this vulnerability(CVE-2011-3389 and QID:42366) If this CVE is equal to CVSS 4.3?
Or maybe this is a Brute Force? But this attack not results in a password lockout.
Other is that is a vulnerability of the client-side but why qualys give me a mitigation for the server?
We are currently performing an in-depth review of this QID to determine the appropriate PCI Status. I believe it will probably be marked as a PCI Failure in the near future. You may want to start investigating possible remediation steps if possible.
You are correct in that this is basically a client side attack (which could play into the PCI Scoring as well), howerver since the risk could allow impersonation of the legitimate user session, this would still need to be remediated on the Server Side, to not allow the weak CBC Mode usage. Security Best Practices indicates Security should be enforced on the Server Side, as you shouldnt rely upon the End User to provide their own security.