Collaborate Disseminate
I am calculating the CVSS score for an issue, and I am confused about the Privileges Required (PR).
The issue is, for a client desktop app that connects to a server, the logged in user allows debugging, the JWT token of the user will be lo… Continue reading How to assess the Privilege Required?
I wanted to know why in the CVSSv4 there is no longer an equation where you take the input of metrics and calculate the cvss output.
Rather they take the input metrics, use it to compute a vector (ex: 000010), then look up for the cvss in … Continue reading CVSS v4 using lookup instead of simple formulas
Let’s say there is a XSS vulnerability in a web application. The XSS allows an attacker to hijack the user’s session. Within the session, the attacker can view/modify the user’s credit card and billing information, and even make a purchase… Continue reading CVSS3 score for XSS leading to account takeover
A vulnerability management strategy that relies solely on CVSS for vulnerability prioritization is proving to be insufficient at best, according to Rezilion. In fact, relying solely on a CVSS severity score to assess the risk of individual vulnerabilit… Continue reading Relying on CVSS alone is risky for vulnerability management
Coalition’s recent Cyber Threat Index 2023 predicts the average Common Vulnerabilities and Exposures (CVEs) rate will rise by 13% over 2022 to more than 1,900 per month in 2023. As thousands of patches and updates are released each month, organizations… Continue reading A step-by-step guide for patching software vulnerabilities
FIRST has unveiled the latest version of its Common Vulnerability Scoring System (CVSS 4.0). Critical in the interface between supplier and consumer, CVSS provides a way to capture the principal characteristics of a security vulnerability and produces … Continue reading CVSS 4.0 released, to help assess real-time threat and impact of vulnerabilities
Let’s say I have an e-commerce organization. My organization has two security authorities A and B. The authority A manages access to data related to user orders, and the authority B manages access to data related to user payments.
My organ… Continue reading CVSS3 Scope change question
An ethical hacker found that a system I own, has an exposure of information. They were able to determine the programming language, a web framework and the exact versions of both from a stack trace by causing an unhandled exception in the a… Continue reading Should bounties be paid for information exposure?
I have been working with the NIST – NVD API v2 and I have noticed that the temporal metrics "remediationLevelType" and "exploitCodeMaturityType" are missing in ALL CVEs that I have searched for using the NVD API.
Althou… Continue reading CVSS v3 and v3.1 Missing temporal metrics (Exploit Code Maturity and Remediation Level) in all CVEs using NVD API
How do you map vulnerable components’ CVSS scores?
Do you use the CVE CVSS score? Do you calculate again?
For example: A host is using a component that has a CVE for a high vulnerability.
Do you report it as a HIGH vulnerability (like the … Continue reading Vulnerable Components CVSS Score