Collaborate Disseminate
In this Help Net Security interview, Michael Gorelik, CTO and Head of Malware Research at Morphisec, provides insights into the business impact of vulnerabilities. Gorelik discusses challenges posed by regulatory frameworks, incomplete asset inventorie… Continue reading Creating a formula for effective vulnerability prioritization
Introduction
Multi-tenant vs single-tenant software architectures
Software multitenancy is a software architecture in which a single instance of software runs on a server and serves multiple tenants. Systems designed in such manner are &q… Continue reading Calculating CVSS scores for vulnerabilities in multi-tenant applications
Is there any tool providing information such as exploitability state (i.e., None, POC & Functional/Active) and automatability data for a specified vulnerable component name and version?
Continue reading Information on the Exploitation and Automatability Data for Vulnerable components
I am using CVSS 3.1 and even though I read the documentation I still doubting with numerous findings. For example:
Internet facing hostname is missing CAA and SPF DNS record. What would PR be? I suppose you need high privileges in order t… Continue reading How to score CVSS for these findings?
We’ve talked a few times here about the issues with the CVSS system. We’ve seen CVE farming, where a moderate issue, or even a non-issue, gets assigned a ridiculously high …read more Continue reading This Week in Security: CVSS 4, OAuth, and ActiveMQ
If a web application (like an internet forum, social media, etc.) does not remove GPS metadata (EXIF) from uploaded pictures, is it considered a security vulnerability or not? Why? And would it be possible to calculate its CVSS score?
I de… Continue reading GPS metadata in uploaded pictures: vulnerability or not?
By Deeba Ahmed
IN SUMMARY The non-profit collective Forum of Incident Response and Security Teams (FIRST), has released the new version…
This is a post from HackRead.com Read the original post: CVSS v4.0 Released with New Supplemental Metrics, an… Continue reading CVSS v4.0 Released with New Supplemental Metrics, and OT/ICS/IoT Support
I am calculating the CVSS score for an issue, and I am confused about the Privileges Required (PR).
The issue is, for a client desktop app that connects to a server, the logged in user allows debugging, the JWT token of the user will be lo… Continue reading How to assess the Privilege Required?
I wanted to know why in the CVSSv4 there is no longer an equation where you take the input of metrics and calculate the cvss output.
Rather they take the input metrics, use it to compute a vector (ex: 000010), then look up for the cvss in … Continue reading CVSS v4 using lookup instead of simple formulas
Let’s say there is a XSS vulnerability in a web application. The XSS allows an attacker to hijack the user’s session. Within the session, the attacker can view/modify the user’s credit card and billing information, and even make a purchase… Continue reading CVSS3 score for XSS leading to account takeover