4

From the CVSSv2 specification:

SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user's system could be much greater than the impact to the target host. However, this is an indirect impact. Cross-site scripting vulnerabilities should be scored with no impact to confidentiality or availability, and partial impact to integrity CVSSv2 spec

This is also how I have seen XSS be scored in practice.

But even if we only consider the impact on the host, an attacker could use a JavaScript payload that reads out sensitive information from the affected web-application (if the victim is currently logged in of course, and if such sensitive information exists).

So why isn't confidentiality rated as low? Is this an indirect impact? And if so, why (and why isn't the integrity impact indirect then)?. And for that matter, why isn't there an availability impact? Couldn't an attacker bypass CSRF protection and thus possibly (depending on the application of course) delete important data or change settings to make the application unavailable?

Related: Why is XSS scored with partial impact to integrity in CVSS V2?.

I know this has been changed in CVSSv3 (because now the browser is considered instead of the host).

tim
  • 29,018
  • 7
  • 95
  • 119
  • 1
    I would guess this is an example of tweaking the vectors to get the score you want. You are absolutely right that XSS can have a confidentiality impact. – paj28 Oct 09 '16 at 21:39

1 Answers1

2

The answer is pretty simple. Since its an indirect effect of the XSS. Example: A vulnerability that allows you to read the cookies would have a confidentiality impact. But a vulnerability that allows you to inject XSS has a integrity impact (allows you to change the page), but as you can arbitarily change the page, to a malicious page that steals the cookies, the scoring does not take consideration to the indirect vulnerabilitys that are found.

Take for example this: A vulnerability in a download script allows a attacker to replace the EXE that is being downloaded. It would have pretty high integrity impact.

But it does not have a confidentiality impact just because the malicious EXE being downloaded could leak information.

Same with XSS. This scoring is important as the remediation of the vulnerability is to solve it at its source (remove the possibility of XSS by filtering better). Improving the confidentiality won't solve this without incurring unintended side effects, and on top of that, the XSS would remain in the web application, causing the vulnerability to still be in effect (the CVE can't be registred as solved) because theres other risk's than confidentiality risks.

The CVSSv3 system does have a few other vectors added that compensate for this, thats why its also is changed in CVSSv3. (with the scope change metrics, which take in consideration if the effect of the attack happens somewhere else, and this can then be considered when mitigating the vulnerability)

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33