During a security test I was wondering what the risk classification would be in an authenticated XSS vulnerability. I understand that it depends on classification schemes, so the focus in this question is "what are the leftover risks?" and would that classify (guess-timate) as low, medium, high or critical.
The vulnerability:
An authenticated user can inject JavaScript in a part of the website/application that is only accessible by other authenticated users.
Constraints:
- There are different roles/groups of users, but the part of the site is only accessible by a specific group (with different roles).
- Authentication cookies have the HTTPonly flag
- It is not directly after login, the user needs to actually click through a couple of screens to get to the actually vulnerable part/post