2

The Common Vulnerability Scoring System Version 3.0 rates the severity of vulnerability depending on factors such as:

  • Attack Vector (AV) - What kind of access does an attacker need? Can they do it over the net or do they need physical access?
  • Attack Complexity (AC) - Does the attack work every time or do very specific circumstances outside the attacker's control need to be in place?
  • Privileges Required (PR) - What kind of privileges does the attacker need for this attack to be successful?
  • User Interaction (UI) - Does the user need to interact with the attacker in a certain way for the attack to be successful?
  • Scope (S) - Does the vulnerability affect the same, or a different component?
  • Confidentiality (C) - How does this vulnerability affect the confidentiality of data?
  • Integrity (I) - How does this vulnerability affect the integrity of data?
  • Availability (A) - How does this vulnerability affect the availability of data?

I am somewhat confused with Privileges Required (PR), especially how to rate certain vulnerabilities. Here is the definition of Privileges Required, according to the CVSS3 Specification v1.8:

Privileges Required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric if greatest if no privileges are required. The list of possible values is presented in Table 3.

Table 3: Privileges Required:

  • None (N): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
  • Low (L): The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
  • High (H): The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.

Now imagine the following attack scenario: A company creates a forum for their community, in which people can create posts. Signatures of users are put below each post. A user can include a malicious <script>-tag in their signature to create a stored XSS-attack on anyone reading any of their posts.

How would this be rated?

My reasoning would be that the privileges required are "None (N)", as the attacker does not require any access to settings or files to carry out an attack. However, I have heard people arguing that this would be classified as "Low (L)", as the attacker does indeed need an account to use the forum software and therefore is not unprivileged.

1 Answers1

2

First of all, bigger PR makes lower risk ratings, it will not increase scores.

At that https://www.first.org/cvss/cvss-v3-guide.pdf guide (page 18) low privilege will be 0.62 and high will be 0.27, they will be used at multiplication.

You can calculate V3 scores at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator to see results.

To determining your scenario we need to ask one question, "is anyone can register to this forum?". Possible results listed & explained below.

  • "No, there is forum admins and they accepts users": Someone gives authorization to users so this is a low PR.
  • "Yes, anyone can register simply": No-one reviews users and gives additional authorization so this is a none
alnbhclyn
  • 254
  • 1
  • 7
  • Thank you for your answer, but I don't understand why you wrote the first half of it. I know how the calculation works and how PR affects the score. –  May 28 '19 at 08:54
  • My mistake, could not predict how much confused :-) so I start from very first beginning :-) – alnbhclyn May 28 '19 at 09:05
  • The second part is fine as it is. –  May 28 '19 at 09:06