Collaborate Disseminate
The Common Vulnerability Scoring System has a lot of critics, but experts say it’s still the best unified way to share the severity of cybersecurity flaws.
The post Infosec pros: We need CVSS, warts and all appeared first on CyberScoop.
There is a website that allows searching for content (without need for authentication). It uses GET parameter named "query" to search and it is vulnerable to reflected XSS. What is CVSS 3.0 score in the following scenarios?:
Vul… Continue reading CVSS 3.0 score for reflected XSS vulnerability in GET parameter [closed]
A website is given to pentester. It is observed that the website has a login page at https://example.com/admin. In this login page it is also possible to enumerate from error messages that the user "admin" actually exists. The pe… Continue reading CVSS Score for brute force attack [closed]
Looking at all the recent Linux kernel crash CVEs I see that the "Scope Changed" metric is always "Unchanged" indicating that "The vulnerable component is the affected component".
My question is, why wouldn’t … Continue reading Why is the "Scope Changed" CVSS Metric for Kernel Crash Vectors always "Unchanged"? [closed]
Looking at all the recent Linux kernel crash CVEs I see that the "Scope Changed" metric is always "Unchanged" indicating that "The vulnerable component is the affected component".
My question is, why wouldn’t … Continue reading Why is the "Scope Changed" CVSS Metric for Kernel Crash Vectors always "Unchanged"? [closed]
I have a set of features from an alert, including start-time, end-time, duration, protocol, srcip, srcport, dstip, dstport, iflags, uflags, riflags, ruflags, pkt, rpkt, oct, roct, app, entropy, rentropy, category_1, and category_2. I want … Continue reading How to calculate CVSS score from alert features? [closed]
The University of Erlangen-Nuremberg (Germany) is conducting a research study to investigate the consistency of CVSSv4 (Common Vulnerability Scoring System). If you are currently assessing vulnerabilities using CVSS, we would greatly appre… Continue reading How consistent are CVSSv4 scores? [closed]
The University of Erlangen-Nuremberg (Germany) is conducting a research study to investigate the consistency of CVSSv4 (Common Vulnerability Scoring System). If you are currently assessing vulnerabilities using CVSS, we would greatly appre… Continue reading How consistent are CVSSv4 scores? [closed]
While I was doing source code review of API handlers for REST APIs, I found a security issue.
This issue is that some methods have the annotation @PreAuthorize("permitAll()").
If I want to document this as a finding and give it a… Continue reading How to calculate CVSS score of a finding detected in the source code?
I am trying to calculate a CVSS score for a vulnerability. In my case, to exploit the vulnerability you should have network access to the server, which is sitting behind a firewall. This server is serving an application that only computers… Continue reading CVSS attack vector adjacent vs network